[c-nsp] Firewall/UTM

[Justin M. Streiner]

On Sat, 30 Nov 2013, madunix at gmail.com wrote:

> I am in the process to acquire and implement network infrastructure
> solution by upgrading the Firewall/UTM with a very high forwarding rate
> firewall at least 40Gbps, by using the following (TECHNICAL SPECIFICATION)

Sounds like you really should consider doing an RFP with the big firewall 
vendors who have products that match or are somewhat close to your 
specifications (Cisco, Juniper, Fortinet, and Palo Alto most immediately 
come to mind).  Let their sales/engineering teams do what they are paid to 
do.

You are likely to get Cisco-centric responses since you posted this to the 
cisco-nsp list ;)

Also keep in mind that you might be able to save money and reduce exposure 
by spreading your anticipated traffic across multiple devices, rather than 
one pair of the biggest boxes that $vendor currently makes.

Also be aware that some of the services you mentioned (anti-spyware, etc) 
are often offered as a subscription service that might represent an 
additional cost that needs to be taken into account beyond things like 
support contracts and licensing costs.

> Data Center Firewalls/UTM
> 1. Frewall throughput minimum 40Gbps.
> 2. VPN throughput 17Gbps
> 3. Support up to 6 million concurrent sessions.
> 4. Support up to 2000 IPSec VPN peers.

Is that traffic as of today, or are you for planning for traffic growth 
over the anticipated lifetime of the firewalls?

> 11. Firewall system must be able to provide stateful inspection
> capabilities

This suggests that you will be able to provide some level of traffic 
symmetry into and out of the firewalls.  Asymmetric traffic doesn't work 
well (read: at all) on stateful firewalls in many cases.

> 12. Firewall system must be able to support Network Address Translations
> (NAT)

I'm assuming this is a generic bullet point for all of the different 
flavors of NAT that you might need to support?  If you're looking for 
CGN/LSN, you might be looking at separate boxes just for that.

> 13. Firewall system must be capable of supporting the following management
> methods:
> a. WebUI (HTTP and HTTPS)

A web UI that is as platform and browser agnostic as possible might also 
be important to you.  Many vendors use Java for their UI (Cisco ASDM, for 
example).  If any FW vendor builds their web UI using ActiveX, I'd like 
to know, so I never buy from them.  Plan your pain expectations 
accordingly.

> b. Command line interface (console)
> c. Command line interface (telnet)
> d. Command line interface (SSH)
> e. Centralized Management Solution.
> 14. Firewall system must be capable of preventing Denial of Service attacks.

Firewalls are just one part of the solution here.  If you're dealing with 
inbound packet love, you will still have to with with entities further 
upstream to identify and stop the offending traffic.

> 15. Must Support Virtual domains / Security zones Min. 10/250
> 16. Must Support DLP
> 17. Must Support Web Filtering / Content Filtering
> 18. Anti (Virus, Spams, Malware, Spyware)
> 19. Logging management capability
> 20. Load balancing capability

Define "load balancing".  I'm not saying his to be difficult, but load 
balancing means different things to different people.

> 21. System must support SNMP (v 1,2,3).
> 22. Internal storage Min. 60GB

I saw no mention of IPv6 support in your specs.  In 2013, there is no 
excuse that I would accept from any FW vendor for not having IPv6 support 
in their products today.  Not "next release", not "it's on the roadmap", 
etc.

> The above spec could apply to juniper, cisco, hp, xtreme ...etc, any
> recommendation should I add/adjust to my  TECHNICAL SPECIFICATION.
>
> -mad
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>