Firewall

For the past few years, we've had our Windows 2000 servers sitting on the public internet. Most people would think that we're crazy, and we probably were! But, over those few years, we were only hit with 1 vulnerability (SQL Slammer). The main reasons for not implementing a firewall were cost and implementation time. With Anand in school and I, running FuseTalk, finding the time to implement was a challenge. So, after 4-5 years of hanging our network out there, we decided to protect the network with a firewall.

We spent a few weeks researching and pricing the various solutions for a network of our size. In the end, we chose a Netscreen 25 from Netscreen Technologies (recently acquired by Juniper Networks). The Netscreen 25 met our current needs with room to grow. The first thing that we had to look at was sessions, as most of the products out there are based on the number of simultaneous sessions that they will serve. The Netscreen 25 serves 16,000 simultaneous sessions and 4,000 new sessions per second. We serve anywhere from 3000 to 6000 simultaneous sessions, depending on the day. Throughput is probably secondary, since most of the firewalls in this range will handle more throughput than required. The Netscreen 25 is no exception, as it handles 100Mbit/sec of firewall throughput; we burst at 41Mbit/sec, depending on the day.




Conclusion

Overall, the upgrade went quite well. There were no major issues at all (unlike some of our previous upgrades). There was about a 3-hour outage while the work was being done, and a slight slowdown while we forced 100MB Full duplex on the Netscreen, as the Cisco 2948L3 that we use requires 100MB Full duplex to be forced or it starts to produce frame errors all over the place. Our next major change is upgrading the forums to the new FuseTalk .NET forum software, since we've had a few "issues" with ColdFusion under load on the forums recently. On the hardware side of things, we'll probably start looking at 64bit once the Windows 64bit platform is released. For now, we have a lot of headroom and a stable, secure and robust infrastructure.

Storage Requirements
Comments Locked

29 Comments

View All Comments

  • kherman - Wednesday, August 25, 2004 - link

    How about a pic of that motherboard!
  • JasonClark - Monday, August 23, 2004 - link

    Penpun, I updated the article with the URL's, and correct a spelling error on my end. It's CI Designs not CSI Designs, guess I watch a bit to much CSI :)
  • penpun - Monday, August 23, 2004 - link

    "CSI Designs RMHR 9000"

    where can we find more info on this company and their products? a quick google search didn't reveal anything obvious.
  • Phiro - Monday, August 23, 2004 - link

    Not sure if you want to give out these numbers, but how many page views did you have in the last 30 days, and how many unique visitors?
  • JasonClark - Monday, August 23, 2004 - link

    #21

    Because, we have standardized on the microsoft platform, and that is where our expertise lies. Performance-wise, a well tuned .Net application on windows will run just as good as it will on linux if not better as the framework was built on the windows platform.

    MySQL is no where close to SQL Server in terms of an enterprise database server (at least not yet). No stored procedures, triggers etc. 5.0 is a way off yet, which should include those features. Also the tools for MySQL are terrible in comparison to SQL Enterprise Manager. SQL Server is where it's at in terms of productivity, enterprise class features and the best management tools in the business.

    As #22 said, productivity is key, why run something you are not familiar with and is not the best platform for a .NET application? We're not interested in PHP or any other language.
  • yelo333 - Monday, August 23, 2004 - link

    #21, probably familiarity. Which means productivity.

    IIRC, they also chose the forums software this way...

    Remember, nobody(well, hardly anybody) can know all combinations of software just as well as another.

    There are probably more reasons, or completely different ones, so wait around for the "official" answer. ;)
  • unhaiduc - Monday, August 23, 2004 - link

    This may be a dumb question, but why don't you guys run a Linux/Apache webserver? or even Win/Apache?.. MySQL?
  • JasonClark - Sunday, August 22, 2004 - link

    Sharkeeper, we are no where near 16,000 sessions simultaneous... only 3-4000, no slow down at all at that level.
  • VirtualLarry - Sunday, August 22, 2004 - link

    Reflex, my friend also has a quad-proc Slot-II Xeon Compaq server, dual-redundant sets of 3 cooling fans, 2+1 redundant PSUs, hot-swap 64-bit PCI, SCSI RAID, etc., crazy overkill kind of stuff for home. He has a rack-mount case in his kitchen. :P Oh yeah, it definately DOES sound like a jet plane taking off when he turns the thing one. It's pretty snappy though, good for LAN game servers and stuff. It also uses an insane memory-expansion daughterboard, with its own buffer chips, can accept up to 16 or maybe even 32GB of registered ECC SDR memory, in quad-interleaved groups of 4 DIMMs. I think he just has 4 x 256MB or 4 x 128MB now, because he got the RAM for cheap.
  • sharkeeper - Sunday, August 22, 2004 - link

    Interesting choice of firewall. What happens when it get saturated? I've implemented NS25's in small enterprises with ~200 or so users and was concerned. Their utilisation is nowhere near what yours would be.

    Cheers!

Log in

Don't have an account? Sign up now