[clue-tech] Which computer to use for Linux firewall??

David L. Anselmi anselmi at anselmi.us
Thu Feb 9 16:29:08 MST 2006 

Matt Atkins wrote:
[...]
>  I have 50 users in the Corporate office, two domestic offices with less 
> than 20 at each site.  I have  an office in San Felipe, Baja Norte, 
> Mexico with about 100 users and an office in Mazatlan with 50 users.  I 
> need a site to site VPN tunnel between all of the branch offices and the 
> Corporate office.  I also have 5 users who need to VPN into the network 
> from home.

You didn't say what kind of bandwidth or utilization you have between 
the above and that will probably drive your load.  VPN is the heaviest 
weight of what you list, assuming you're not doing anything beyond basic 
packet filtering.  I'd guess that the cheapest Dell you can find will do.

Any chance you can prototype your solution on one link (or in a lab that 
simulates a link) before commiting to the whole thing?  Perhaps a runoff 
between an appliance solution and a general purpose Linux solution?  Are 
you able to profile the performance well enough to know what will work?

You should consider that you might propose something, it will be 
approved, you'll build it, and it will fail utterly.  The consequences 
of that should drive how cautious you are about engineering your 
solution well.  And don't forget to leave some room for a couple of 
years of growth.

As for reliability, I'd try to avoid a box with a hard drive.  Gibraltar 
was a run from CD firewall that I looked at long ago--be worth a look if 
it's still active.  Use a small USB stick to store your configs.

Think about a service contract with a quick turnaround, or on-site 
spares and what your worst case recovery scenario is.  Obviously you 
don't need "within an hour" recovery if your other network equipment 
(including your provider's SLA) might take a week to recover.  But this 
is a business decision so you need to get the execs thinking about what 
downtime costs and design a solution that limits the cost to something 
reasonable.

One advantage of an appliance type solution is that the vendor may be 
able to estimate your needs better than you.  Or you might get a 
consultant to do the design (or the whole system) for you.  Personally I 
would prefer an Open Source solution and one way you can give back to 
the community is to pay for the things you use (consulting, donations to 
developers, whatever).  You might even find someone on this list that 
will consult and teach you how to do this right.

Finally, if you haven't heard of them yet, check out SAGE and LOPSA. 
There are a lot of smart people there.  And read Tom Limoncelli's book 
on system administration.

Dave
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list