[142533] in North American Network Operators' Group
Re: Firewall Appliance Suggestions
daemon@ATHENA.MIT.EDU (Brent Jones)
Thu Jun 30 16:46:26 2011
In-Reply-To: <CC75EEBF17C7374EA8309102B7B10C840C7E3A@SHSBS.shenrons-house.local>
Date: Thu, 30 Jun 2011 13:46:18 -0700
From: Brent Jones <brent@servuhome.net>
To: "Blake T. Pfankuch" <blake@pfankuch.me>
Cc: "NANOG \(nanog@nanog.org\)" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch <blake@pfankuch.me> wrot=
e:
> Howdy,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0I am looking for something a little unique=
in a bit of a tough situation with some sticky requirements. =A0First off,=
my requirements are a little weird and I can't bend them a whole lot due t=
o stipulations being put on me. =A0I am in need a firewall appliance which =
can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negot=
iations within a single Phase 1. =A0I am also in need of something that can=
support VLAN interfaces on the LAN side, and ideally something with multi =
zoning so I can keep LAN side networks separate from each without ridiculou=
s firewall rules. =A0Meaning build a zone for "Customer network 1" and it d=
isplays separately (ease of management and firewall config hopefully). =A0I=
need a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for=
LAN to WAN (to dedicate all outbound connections to a single IP from a spe=
cific zone), ideally something extremely scalable (100-200 zones). =A0And h=
ere is the super fun part! =A0I need something that is going to be web mana=
ged primarily as minions will be doing most of the day to day maintenance, =
or very simple CLI config. =A0Willing to pay for something if need be, but =
looking for something that can easily handly 50-100mbit of throughput.
>
> Any Ideas?
>
> Thanks!
>
> Blake Pfankuch
>
I just moved most of my network over to Juniper SRX firewalls. They
are pretty easy, but having a half-brained NOC guy make firewall
changes is a bad idea either way.
--=20
Brent Jones
brent@servuhome.net
