Enterprise level firewal experiences and recommendations

[chuck2002]

I am in the process of doing some Firewall implementation research my employer. I am welcoming anyone's comments and experience with products that are working well for them.
I am considering Symantec's Gateway Security 5420 product along with a skinnied down Linux server running ipchains. --Reliability and a friendly user interface would be top choices for product expectations. Cost is less of a factor in comparison to the other two.
(Cisco PIX might not be best for our small organization and needs for easy setup, maintenance and config.)

Other than that, I am open for other product recommendations and other thoughts.

Our current network: University network backbone and internet service. Fiber to our floor, 100 megabit cat-5 to the desktop. Hardware config encompasses about 7 servers that need various access to the outside world (web, SQL, file, email and other special needs servers) and 90+ Win2k workstations.

Thanks.

 

[wlee]

If you have the budget, look into one or more of the WatchGuard V Series FireBox If you buy the higher level support packages, they'll keep you spoonfed,fat,dumb, and happy with updates.

 

[cmetz]

I must strongly disagree with the recommendation for the Firebox. First of all, as far as I can tell they can only be administered through a Windows-only GUI client. Thanks for playing, guys - come back when you learn how to make a real piece of network equipment (sad part is, it runs Linux deep under the hood). Second, it's a piece of equipment that failed repeatedly in production under load from a Windows virus - kept crashing and rebooting. When critical-path equipment fails massively in my network more than once, it comes out, and never goes back in.

I have no experience with the Symantec product, but don't trust Symantec in the firewall space at all. I have a little bit of experience with Checkpoint Firewall-1 and don't trust Checkpoint either. (Many folks swear by CheckPoint though)

Linux is great, but if the PIX doesn't meet your ease of use requirements, I'm not sure how Linux is going to be that much different. If you're looking at Linux, also look at OpenBSD -- their pf firewall code is really great stuff and also has some enterprise failover kinds of features now (pfsync & CARP). You can do a lot of magic with OpenBSD and/or Linux and do it at a very compelling total cost, but you need more expertise to get it set up right. I use OpenBSD where I have free reign to make the choice of what firewall to use, unless some particular requirement drives me to Linux or PIX.

The PIX boxes are pretty solid. Their ease of use leaves a lot to be desired and their OS has some really annoying user interface bugs, but they work and there are big-boy PIXes you can get to handle big loads and failover. I end up using PIX a lot for sites that want to buy a commercial product firewall, not so much because I like them most as because I dislike them least.

 

[bgroff]

I agree with cmetz. Avoid weird firewall products. There are really only two truely "enterprise level" firewall products left standing, those being Checkpoint and Cisco PIX. Both of these products have their stregths and weaknesses, but overall both are good products. My personal experience has been heavy on the Checkpoint, and I don't hate it completely. The downside of Checkpoint is documentation and support. Cisco reigns supreme in product support when it comes to networking equipment... CCO and the tac do a good job, but of course there's no free lunch...

As for the free software arena, there are two major players. Linux with IPtables (ipchains is outdated since IPtables is stateful) and *BSD (pf for openbsd, ipfw for freebsd). OpenBSD is nice and dandy, but seems to be flakey when it comes to hardware. Oh, and for a real neat trick on OpenBSD, pf will not swap (you'll get the ever so lovely "yuck-puke" OpenBSD screen, something that I've seen WAY to often).

 

[Boscoh]

I support PIX firewalls exclusively. Very solid boxes. If you can handle the learning curve, that's what I'd go with.

While the initial config can prove difficult, once the PIX is setup you very seldom have to ever touch the thing to maintain it. The only real time you should have to log into the PIX is to troubleshoot a problem and see if it is the PIX, when you're making a config change, or when you're updating the OS. Updating the OS is also very easy.

Also, check out Netscreen. They have some solid boxes and really give the PIX some competition. Compare the features, the Netscreen has some that the PIX doesn't - at least right now...they will be pretty much on par when PIX OS 7.0 comes out at the end of the year.

 

[n0cmonkey]

Originally posted by: bgroff

As for the free software arena, there are two major players. Linux with IPtables (ipchains is outdated since IPtables is stateful) and *BSD (pf for openbsd, ipfw for freebsd). OpenBSD is nice and dandy, but seems to be flakey when it comes to hardware. Oh, and for a real neat trick on OpenBSD, pf will not swap (you'll get the ever so lovely "yuck-puke" OpenBSD screen, something that I've seen WAY to often).

You forgot pf and ipf on NetBSD and FreeBSD. I've never had problems with OpenBSD and pf. Maybe you should submit a bug report. And the only flakey hardware I've seen was either bad or really old and crappy.

I like checkpoint for enterprise things. It has some nice high availability features.

 

[bgroff]

Originally posted by: n0cmonkey

Originally posted by: bgroff

As for the free software arena, there are two major players. Linux with IPtables (ipchains is outdated since IPtables is stateful) and *BSD (pf for openbsd, ipfw for freebsd). OpenBSD is nice and dandy, but seems to be flakey when it comes to hardware. Oh, and for a real neat trick on OpenBSD, pf will not swap (you'll get the ever so lovely "yuck-puke" OpenBSD screen, something that I've seen WAY to often).

You forgot pf and ipf on NetBSD and FreeBSD. I've never had problems with OpenBSD and pf. Maybe you should submit a bug report. And the only flakey hardware I've seen was either bad or really old and crappy.

I like checkpoint for enterprise things. It has some nice high availability features.

OpenBSD has been nothing but a cranky old woman on the ECS KT7SA mobo I have. Linux doesn't complain a bit... Therefore, I blame the hardware. Call me crazy, but OpenBSD seems a lot more cranky than linux.

 

[cmetz]

If you are using OpenBSD as a firewall, you need to tune its kernel memory management to work as a firewall instead of as a general-purpose server. There is a hard division between kernel memory (used for network functions, such as packet bufferring and pf state tables) and user space memory (for applications) and it can't be changed once the system's running. By default, something like 15% of memory is allocated for the kernel, and the rest for user space - not the right split for a box that's basically going to need it all for the network stuff and not for applications.

This is all mentioned in the documentation..

 

[n0cmonkey]

Originally posted by: bgroff

Originally posted by: n0cmonkey

Originally posted by: bgroff

As for the free software arena, there are two major players. Linux with IPtables (ipchains is outdated since IPtables is stateful) and *BSD (pf for openbsd, ipfw for freebsd). OpenBSD is nice and dandy, but seems to be flakey when it comes to hardware. Oh, and for a real neat trick on OpenBSD, pf will not swap (you'll get the ever so lovely "yuck-puke" OpenBSD screen, something that I've seen WAY to often).

You forgot pf and ipf on NetBSD and FreeBSD. I've never had problems with OpenBSD and pf. Maybe you should submit a bug report. And the only flakey hardware I've seen was either bad or really old and crappy.

I like checkpoint for enterprise things. It has some nice high availability features.

OpenBSD has been nothing but a cranky old woman on the ECS KT7SA mobo I have. Linux doesn't complain a bit... Therefore, I blame the hardware. Call me crazy, but OpenBSD seems a lot more cranky than linux.

And my experiences are pretty much the opposite on a range of x86 hardware.

 

[n0cmonkey]

Originally posted by: cmetz
If you are using OpenBSD as a firewall, you need to tune its kernel memory management to work as a firewall instead of as a general-purpose server. There is a hard division between kernel memory (used for network functions, such as packet bufferring and pf state tables) and user space memory (for applications) and it can't be changed once the system's running. By default, something like 15% of memory is allocated for the kernel, and the rest for user space - not the right split for a box that's basically going to need it all for the network stuff and not for applications.

This is all mentioned in the documentation..

Can you point out those documents? I haven't seen anything in the pf guide.

EDIT: This is probably what you were talking about...

 

[Darthkim]

Chuck,

Just wanted to chime in on the SGS.... We are currently running the older SEF and Velociraptors. A thorn in my side with both products has been with the writing of the rulesets. If you want to use packetfilters, you have to create a rule for both your firewall and packetfilters. They haven't changed that in SGS, so writing rules may take some getting used to... From a security standpoint, they have been solid for over 3 years.

But we are now moving to checkpoint's due to some issues we have with the availability of future hardware maintenance with the velociraptors. They do have easily the most friendly GUI and have a slew of tools to see what your current load is and what is type of traffic you are carrying. I would recommend that you get the demo cd from a VAR so you can see for yourself.

It appears that most of your requirements could be fulfilled with a pix/netscreen/*nix/*bsd setup, but as in every enterprise, there other factors to consider.

Good luck.

 

[cmetz]

n0cmonkey, you got it. Also see the options man page, linked on the page you linked.

Executive summary: NMBCLUSTERS & NKMEMCLUSTERS should be increased.

netstat -m, pfstat, vmstat, and dmesg are tools that will tell you what your utilization is and/or if you really need to increase the pools and give you some idea of how much. Much of this will cease to be an issue if and when they improve the memory manager. I believe that NetBSD has the necessary code in the form of UBC, but the OpenBSD guys haven't merged it and there might be good reasons why (e.g., stability).

Re: Netscreen, I've used NS5s and NS10s and found them to be fairly bad boxes. You really have to use the Web GUI to configure them (uh, is this an enterprise product?) and their support is just unacceptable. Their beefier boxes are supposedly a whole different OS (Linux deep under the hood I believe) and so my experiences with the small boxes may be irrelevant to the bigger ones, but my experiences with the company remain. Juniper recently bought Netscreen and that could be good, could be bad, time will tell - but my gut is that I'd be very nervous about buying an expensive product from a company currently in the middle of being digested, just because you know there will be major changes but don't know much about how they're going to play out.

 

[n0cmonkey]

Originally posted by: cmetz
n0cmonkey, you got it. Also see the options man page, linked on the page you linked.

Executive summary: NMBCLUSTERS & NKMEMCLUSTERS should be increased.

I've messed with them previously, but at home I don't have a need. I'm just running GENERIC on all of my machines (have been since 2.8 I think). I may play with it when I get a new firewall machine though

(I'm not an idiot, I did know what you were talking about, really I did! )

netstat -m, pfstat, vmstat, and dmesg are tools that will tell you what your utilization is and/or if you really need to increase the pools and give you some idea of how much. Much of this will cease to be an issue if and when they improve the memory manager. I believe that NetBSD has the necessary code in the form of UBC, but the OpenBSD guys haven't merged it and there might be good reasons why (e.g., stability).

There is a UBC branch. IIRC, tedu is working on it. He had an initial port of UBC for i386 only, and it wasn't quite finished (no NFS). UBC is one of the goals of ekkoBSD (an OpenBSD fork), but I don't know how far they have gotten with it yet. I think stability, security, and manpower are the big problems with getting it working. Same goes for SMP, but Niklas doesn't have enough time to get it out as quickly as everyone would like.

 

[chuck2002]

Thanks for taking the time to respond guys. I will digest the opnions and look over the suggestions.

 

[cmetz]

n0cmonkey, NMBCLUSTERS mostly comes into play when you have more load going through the box, since what it more or less controls is how much packet buffer space the box has. If you put more traffic through the box, you need more buffer space to handle the load.

NKMEMCLUSTERS you need mostly if you keep state, it controls how much memory the kernel has. However, with the pool(9) mbuf allocator, non-cluster (small) mbufs come out of this space, too, so it also affects that.

My home firewall runs GENERIC, no problem, as do many sites whose firewall I set up with OpenBSD. But I do have a few that need the bump because they're on 100Mb/s FDX connections to the Internet (data centers, or metro Ethernet fiber connections).

UBC and making all this invisible to the user would be nice. OpenBSD / Linux does require more skill and research on the admin's part.