Re: Sharing machine or separate machine?

From: Christian Jensen <christian#officepools.com>
Date: Tue, 06 Jul 2010 09:01:43 -0700


  Thanks for the feedback. I do understand that it is pretty vague.

If you have the machine directly on the net and all ports off, is the only reason to use a cisco to get the VPN or are there other benefits? I come from the M$ world where we used ISA server and I understand the positives there but also the downsides too.

With ISA server I got: 

* URL Routing
* NAT
* VPN
* Logging
* Load Balancing
* SSL offloading

and more. I know this forum is not designed specifically for talking about Cisco products but does anyone know what the best box for the best price to emulate the above features? Is it simply a matter of mixing in other Open Source projects and boxes?

I hate adding boxes because your MTBF cuts in half for every component you add.

Thanks!
Christian

On 7/6/2010 3:16 AM, Angelo Höngens wrote:
> On 6-7-2010 10:32, Christian Jensen wrote:
>> Hi,
>>
>> I am setting up a new datacenter and would love to get an opinion...
>>
>> We have 3 options:
>> 1. Build a firewall machine separate from the load balancer machine
>> 2. Share a machine and have a firewall and haproxy on the same box
>> 3. Virtualize everything (VMWare, Xen, KVM)
>>
>> Please suggest you best choice for firewall if you want - we can use
>> anything. Also, if you have any decent experience with any hypervisor,
>> please weigh in there too.
>>
>> Thanks!
>> Christian
>
> "Please suggest a new car for me. I have three options: a pick-up truck,
> a car with a trailer behind it, or a lorry truck." They can all be used
> for transporting cargo, and probably do a good job, but I can't make you
> any suggestions, since perhaps you do other work than I do. :-)
>
> I can tell you what we do, based on the work we do..
>
> About firewalls: we mainly use cisco firewalls everywhere (they're also
> good for setting up a site-to-site vpn from your office to your
> datacenter). We have haproxy, varnish and squid machines behind them.
>
> For some high-volume projects we have some balancers attached directly
> to the net. These balancers have at least 2 network cards, and the
> 'public' interface only has port 80 open. SSH and other services only
> listen on the inside interface. In this case you don't really need a
> firewall to close ports.
>
Received on 2010/07/06 18:01

This archive was generated by hypermail 2.2.0 : 2010/07/06 18:15 CEST