[142534] in North American Network Operators' Group
Re: Firewall Appliance Suggestions
daemon@ATHENA.MIT.EDU (Chris Lowe)
Thu Jun 30 17:00:08 2011
Date: Thu, 30 Jun 2011 13:58:21 -0700
In-Reply-To: <BANLkTikZ0JmBS3D8QKno87J3YaZ_-LPzOw@mail.gmail.com>
From: "Chris Lowe" <clowe@intelius.com>
To: <brent@servuhome.net>, <blake@pfankuch.me>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
=20
----- Original Message -----
From: Brent Jones [mailto:brent@servuhome.net]
Sent: Thursday, June 30, 2011 01:46 PM
To: Blake T. Pfankuch <blake@pfankuch.me>
Cc: NANOG (nanog@nanog.org) <nanog@nanog.org>
Subject: Re: Firewall Appliance Suggestions
On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuch <blake@pfankuch.me> =
wrote:
> Howdy,
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0I am looking for something a little =
unique in a bit of a tough situation with some sticky requirements. =
=A0First off, my requirements are a little weird and I can't bend them a =
whole lot due to stipulations being put on me. =A0I am in need a =
firewall appliance which can be run on VMware vSphere, with IPSEC =
support for multiple Phase 2 negotiations within a single Phase 1. =A0I =
am also in need of something that can support VLAN interfaces on the LAN =
side, and ideally something with multi zoning so I can keep LAN side =
networks separate from each without ridiculous firewall rules. =
=A0Meaning build a zone for "Customer network 1" and it displays =
separately (ease of management and firewall config hopefully). =A0I need =
a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for =
LAN to WAN (to dedicate all outbound connections to a single IP from a =
specific zone), ideally something extremely scalable (100-200 zones). =
=A0And here is the super fun part! =A0I need something that is going to =
be web managed primarily as minions will be doing most of the day to day =
maintenance, or very simple CLI config. =A0Willing to pay for something =
if need be, but looking for something that can easily handly 50-100mbit =
of throughput.
>
> Any Ideas?
>
> Thanks!
>
> Blake Pfankuch
>
I just moved most of my network over to Juniper SRX firewalls. They
are pretty easy, but having a half-brained NOC guy make firewall
changes is a bad idea either way.
--=20
Brent Jones
brent@servuhome.net
