Hi all,
Thank you for your kind advice and replies.
To take in order things, I don't need to filter my spam any further. The front Exim server with some good RBLs and SA behing is very accurate for me and yes, costs time to maintain but works fine (by the way thanks to ImproWare if you follow the list for their great addons you freely offer).
As for other, I was thinking about ASA, SSG and Fortigate appliance, however as mentioned all have their pros and cons and I just dislike the license model of these vendors (I have no clue about Juniper license model, but I can guess it is no different, but Cisco and Fortinet makes the appliance for a fair price and when you add features you pay your appliance thrice it's price. Both are a bit pricey, but I keep them as option.
For other advices, I already run some security measures. I run PHP thru suPHP, have PHP compiled with some patches and have a very restrictive php.ini file filed to forbid a maximum of actions. Fortunately, we do not run ugly code (I am thinking of Joomla stuffs), have noexec partitions, right file permissions and limited people to upload stuffs. I have as well some mods to Apache (mod_cband, mod_security2, mod_evasive) and signature and tokens of Apache/PHP all set to off. I have also done some basic tuning of sysctl to make sure it is suitable to my needs.
The boxes are pretty clean. and we have even take the luxurious measure to run an anti-virus scan once a week (using AVG). I've received an offline email for appliances based on BSD and running some x86 hardware and that is actually the way I was thinking to go. Tim was speaking about pfSense and I was pretty much looking in that direction, only it is not easy to benchmark these systems vs asa vs ssg vs fortigate. I was also thinking of a stripped-down BSD/Linux box and using fwbuilder which runs on Linux, Windows and Mac, so about all most spread OSes.
Point is that I am very undecided what direction to adapt. I would feel 'safer' using an appliance built on purpose for that, but when you think ahead that, they probably rely in some ways on BSD/Linux and some ASIC hardware, so at the end they are not that better (maybe when you push a lot of traffic to them, but the vendors figures are likely just sales figures, they mention throughput, but not the packet size and type used for the benchmark, also no vendor mentioned in their nice PDF files the PPS they are able to handle).
Feeling lost I am probably going to benchmark them myself, probably and ASA vs an Intel BSD. Just wondering how you guys did your benchmark? Anybody got a tiny benchmark hints? I guess you most went with nmap, iperf and hping tools. However, I am still interested to get your trial and evaluation methods if you can advice or your thoughts on BSD vs Cisco.
Thanks again all for your spontanous help and tips, very much appreciate.
Cheers.
Simon
2009/9/16 Tim Jansen
<Tim.Jansen@macd.com>
Hi Simon,
maybe you are interested in a very good open source firewall system if so you should
hold an eye to pfsense.
It has a lot of features and the management is quite easy if you know what you want.
It includes snort and many other features and the documentation is also very well
with many howtos - for example for the clustering or any other examples how to
set up pfsense.
Maybe this is an alternative against the expensive Cisco and Juniper models. You only
need a box with enough CPU power and network cards.
MFG, Tim
Simon Leins wrote:
> Dear fellows,
>
> I currently look after a security solution for my company. I know that I
> will not get many answers from the list, as security is pretty much the
> secret recipie of all network operators.
>
> However, I better try to send a post here and see what feedbacks I can
> get, so let’s get started.
>
> I run a farm of 15 servers, all running RedHat Linux 5 x64. These
> servers are mainly webhosting orientated, they handle website files,
> database and emails. The network is multihomed and with a capacity of 3
> x 100 Mbit. We currently don’t have any kind of security, nor a firewall
> appliance (yes, I know shame on me).
>
> At this point, I am looking at a cost-effective solution. I have checked
> around for commercial solutions and have found Cisco and Juniper to be
> my options.
>
> I must admit that I am not convinced at all by these brands and would
> fell pretty ashamed to have a Cisco ASA toy in my rack. As for Juniper,
> it seems that the boxes are a bit overpriced for my single-featured IT
> department and would kill my yearly poor budget.
>
> I use to see some dirty forged packets hiting the servers. They never
> took a server down, nor made them fill up the memory, but I consider I
> could see some „dos“ or even non-bot size „ddos“ attacks. Another point
> is that I must have a firewall that is transparent. Some servers
> requires to have public IP (for dumb license reasons).
>
> What would you advice? Is BSD/Linux with a multi-gig port a good option
> to consider? What firewall do you advice? How do you clean ddos?
>
> Looking forward to reading all answers.
>
> Regards.
>
> - Simon
>
>
> ------------------------------------------------------------------------
--
Tim-Oliver Jansen
http://www.macd.com Tel.: +49 (0)241 44597-16
Macdonald Associates GmbH Geschäftsführer: George Macdonald
Oppenhoffallee 103, D-52066 Aachen Amtsgericht Aachen, HRB 8151, Ust.-Id DE813021663