Forum OpenACS Q&A: Professional firewalls

28: Professional firewalls (response to 1)
Posted by Stephen van Egmond on
Professional firewalls can mean very different things. If you believe the marketing, the checkpoint firewall is "very professional".  I know it impresses banks, but it is also very easy to misconfigure.

IMHO the best firewall is one that combines load balancing and failover with firewalling.  And to me that means Big/IP.  You'll need two.  See  It will cost you $10K or so to deploy but if you really are getting a million hits per day, that should be  chump change to you.

If you don't see the point of load balancing or failover, then you'll probably be fine with a cheap Linux box (run Debian, please) doing firewalling.

For my tastes, cheap linux boxes are too cheap and have too many moving parts and require too much maintenance and are too tempting to install software onto.  I use a Linksys router (they sell them as cable-modem routers but that's not all they're good for).  They do packet forwarding from arbitrary ports to arbitrary systems behind the firewall, so if you feel the need to separate web, mail, dns, and login, you can.  The little devices can be configured with lynx, or remotely at slightly increased security risk.  They have no fans and no hard drives to break down.  They're fantastic, I love them.