Results 1 to 12 of 12

  1. Post
    #1

    Replacing a Draytek Vigour for Fiber

    Hey Guys,

    My work recently got audited and have started looking at replacing their router.

    Boss wants dual WAN so we have two internet connections to one router for redundacy sake. I think this will be when we move into a new building so a router change is what we're after now.

    What do you recommend? I was looking at https://www.ubnt.com/unifi-routing/usg/ however, it doesn't support multi-endpoint site-to-site vpn for the same subnet, from the UI. It does support it, just have to **** around with JSON file.

    requirements:
    - VLAN tagging
    - VLAN
    - DHCP
    - Traffic monitoring
    - handle about 80 devices simultaneously using internet
    - VPN
    - Site-To-Site VPN
    any help and recommendations would be great

  2. Post
    #2
    What was the audit regarding? What's your budget like? What's your current throughput? How many VPN users? How many sites? Do you require SFP/SFP+? What's your internal switching like, do you need/support link aggregation (lacp)?

  3. Post
    #3
    Was gonna say pick up a 2nd hand fortigate or sonicwall off trademe - but there doesn't seem to be many. Same questions as analgia.

  4. Post
    #4
    Redundant... In one box.

    Anyway, you could do worse than an SRX (https://www.trademe.co.nz/computers/...1881983889.htm) but I would keep an eye out for an SRX345, they're quite capable and have a GUI so you don't even need a JNCIE hanging around to configure it. I bought a few recently as branch routers (in packet mode, not as stateful firewalls) and they're great. Dual PSU (might help with the redundancy) and support 8x copper and 8x SFP.

    I have recently deployed a couple of Fortigates, in particular the FVM64 (virtual firewall). They can be run in HA on the same (or separate) tin, perfom well in an office of 150 people with modest HW requirements and can do a raft of connectivity options, firewalling and VPN stuff. Not sure how much they cost, but are quite robust, surprisingly so. We run dual 1G links into each one, with site-to-site VPN, IDS/IPS, BGP etc all on there.

  5. Post
    #5
    Virtual firewall can never compete with the dedicated silicon (ASICs or Caviums). I once compared the (real) performance and it came out about $4 to $1 (you had to spend $4 on generic tin for $1 of specialized tin to get relevant performance). Pricing on the virtuals is not really any cheaper either.

  6. Post
    #6
    Depends what kind of performance you need, but yeah obviously a real ASIC would stop a VM when it comes to raw packet handling. Ours seems to be totally unworried by 15k active sessions and shitloads of SMB traffic - but I admin I don't know the prices, someone else bought them

    In the 1Gbit/s realm you're fine going virtual.

  7. Post
    #7
    Once you start doing more Layer 7 stuff, SSL decrypt, more VPN it starts to show. You see the same thing when you put ASIC/Cavium based platforms (Palo, Forti, Sonicwall) against generic x86 gear (Cisco, Checkpoint Sophos). It's pretty much why checkpoint are romping around saying SSL decrypt is bad, because their boxes cannot handle it.

  8. Post
    #8
    Agree - would love to see some real world numbers too. Undefineed needs to give us more info

  9. Post
    #9
    Our hosting providers won't touch advanced features on their virtualized firewalls because it kills performance (we wanted to do server SSL decrypt/reverse proxy). Before I left my old job I was look at the metrics on the virtual version of our firewalls, packet forwarding performance was insane, raw, soon as things got complex it nosedived. We also did a competitive break down on brand F virtual and that's where we got the 4:1 numbers.

    What I can tell you is a certain company was building a multi-CPU platform - x86, Cavium Octeon/MIPs, and ARM (the new cavium CPUs are ARM based) all in one box box, with slots for various CPU cards for DC deployments. Was pretty awesome looking.

  10. Post
    #10
    The virtual stuff is a significant cost saving, for stuff like FortiManager and FortiAnalyser it's a good option.

  11. Post
    #11
    I guess capex vs opex comes into it too. I'm lucky, our security team wanted to wazz their budget on it so I just sat back and let them buy whatever

  12. Post
    #12
    Analgia wrote:
    The virtual stuff is a significant cost saving, for stuff like FortiManager and FortiAnalyser it's a good option.
    Reporting and management are using Linux/x86 code, so yes virtualization is easy for those for any vendor. But fortimanager and fortianalyzer are not the actual firewall device. When you turn on VPNs (particular non-AES), Layer 7 inspection, and/or SSL decryption then you start to notice the lack of performance in the virtual versions.