So, the more I look at various ways to lay out my infrastructure, the more I am thinking about specs for hardware. Starting with firewalling. How does one determine the specs for a firewall? What I mean is: 1. motherboard/CPU - p4? Dual-Core? Intel i3, i5, i7? 2. RAM? 4gb? 8gb? More? 32gb? 3. Obviously GB Nics! I am bring about 300gb of traffic a month right now and I expect that to increase significantly with my next offerings. Obviously one answer is to but a beefy motherboard that supports lots of RAM and add more as needed, but where does one start out? How do I know if my firewall would need more RAM? How do I know if the CPU is good enough? I still go back to my Cisco PIX days where these devices were amazing on just 256MB of RAM. We piloted a large chunk of Cornell University's Lab Of Ornithology on 2 of these, but now-a-days it seems that a PIX would not be good enough. Is it because the nature of the internet and data and attacks has changed over time? more aggressive? -Jason
On 01/17/12 3:36 PM, Jason T. Slack-Moehrle wrote:> So, the more I look at various ways to lay out my infrastructure, the more I am thinking about specs for hardware. > > Starting with firewalling. > > How does one determine the specs for a firewall? > > What I mean is: > > 1. motherboard/CPU - p4? Dual-Core? Intel i3, i5, i7? > > 2. RAM? 4gb? 8gb? More? 32gb? > > 3. Obviously GB Nics! > > I am bring about 300gb of traffic a month right now and I expect that to increase significantly with my next offerings. > > Obviously one answer is to but a beefy motherboard that supports lots of RAM and add more as needed, but where does one start out? > > How do I know if my firewall would need more RAM? > > How do I know if the CPU is good enough?a pure firewall at gigE speeds really doesn't need that much ram and only a fair-to-middling processor. more than 2 cores would likely be wasted. Its when you start layering other server functionality on top of the firewall system is when you need more hardware. I'd expect with a firewall-centric OS distribution like pfSense, a dual core 2-3Ghz I3 could easily keep up with gigE and quite complex rule sets, several network zones. No storage requirements at all, unless you plan on keeping your logging local on the firewall. to maintain gigE throughput you'll want to use server grade NICs and not cheap desktop ones. If you're using a lot of VPN encryption, more and/or faster CPU cores would be useful. a few 100MB of ram is plenty for 100s of 1000s of concurrent connections, so unless you're doing other ram intensive stuff like Snort or NetTop, 1GB ram would be plenty. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
Dear Jason, On Tue, 17 Jan 2012 15:36:09 -0800 "Jason T. Slack-Moehrle" <slackmoehrle at gmail.com> wrote:> How does one determine the specs for a firewall?Depends on your requirements. If you just want some port filtering/forwarding it can be done by low power Atom machines or even some old hardware (Pentium 2 possibly even older). ARM, MIPS are also fine but check if your software/OS runs on that very special architecture. If it is a mission critical firewall I'd recommend buying new hardware instead of reusing your ten year old Pentium 3. If you need new memory it's often cheaper to buy 8 GB of RAM instead of 1, 2 or 4GB nowadays. Don't skimp on network adapters! 10$ adapters are usually not built for 24/7 usage. If you want to do deep packet inspection, (i.e. antispam, antivirus, etc.) you should invest in decent (!) hardware. If you'd like to access your firewall remotely you should consider a remote management card like ILO, DRAC. UPS, diesel motor, failover cluster, how much money do you have? ;-) Brgds -- Freundliche Gruesse/Best Regards Benjamin Hackl IT/Administration Media FOCUS Research Ges.m.b.H. Maculangasse 8, 1220 Wien Austria Tel: +43 1 258 97 01-295 b.hackl at focusmr.com