Entry Level Firewalls

This is the second post in a series about building out an entry-level infrastructure footprint.

When most people think about firewalls the first name that comes to mind is Cisco. One of the things you will learn is I am not a huge fan of Cisco. You pay a whole lot for that logo on the box. They used to be the innovators in the space, but even that has become superseded by many newcomers and other veterans.

When you have decided that the time is right to build out your data center, one of the first pieces of equipment you will need is a Firewall. Why a firewall? Well, the right firewall will cover a number of necessities:

• Router – Translating your bandwidth provider and small IP block into the larger private IP block you will use on the other side of it. Also will support High Availability between more than one bandwidth provider.
• Security Appliance – You don’t want to get hacked! Only allow minimal traffic sources in and out.
• VPN – Create either a VPN tunnel to your office, or use IPSec or SSL to get access into your servers to ensure no one else has access.

Your firewall selection will likely talk about many more things it can do, consider those bonuses, as many of these additional offerings will not be sufficient to really use. 

My number one choice for firewalls is Juniper Networks. They make a large array of firewalls and have some great and very reasonably priced options for the entry-level market. Their JunOS operating system and language is easier that Cisco’s IOS, but will take a little getting used to, but they will generally help you get it setup the first, especially when purchased through a partner like Trace3 or Baypointe Technologies.

Determining which model you need is heavily based on the traffic you need to support. All firewalls are built to handle a certain amount of pass-through bandwidth. Starting out you will likely want it to handle a gigabit of traffic. This will allow you to work a deal with a bandwidth provider to get a 100mb commit on a gigabit port with the ability to burst above 100mb. The next metric you want to be concerned with is the number of transactions or sessions per second it can create. 

Depending on your budget this puts you between two models Juniper has both in the SRX series. SRX240 and SRX650. You’re ranging from $3,000 to $15,000 on these devices based on all of the options and if possible think about getting two. Its not a necessity at the beginning as long as you get a good support contract with same day parts or replacement, but you don’t want to go down because something failed in your firewall. Both of these models support High Availability (HA) failover. Important to remember is if you get HA, you need to request dual cross-connects from your IP Transit provider. 

Later this week I’ll cover Load Balancers.