Re: Sharing machine or separate machine?

Hi !

2010/7/6 Christian Jensen <christian#officepools.com>

> Thanks for the feedback. I do understand that it is pretty vague.
>
> If you have the machine directly on the net and all ports off, is the only
> reason to use a cisco to get the VPN or are there other benefits? I come
> from the M$ world where we used ISA server and I understand the positives
> there but also the downsides too.
>
> With ISA server I got:
> * URL Routing
> * NAT
> * VPN
> * Logging
> * Load Balancing
> * SSL offloading
> and more. I know this forum is not designed specifically for talking about
> Cisco products but does anyone know what the best box for the best price to
> emulate the above features? Is it simply a matter of mixing in other Open
> Source projects and boxes?
>
>

Well an open source Box will always beat the M$ equivalent price, will be more robust and more secure and you won't have to upgrade the hole server if you decide to upgrade 1 product !

Here is what some are using

• URL Routing --> haproxy
• NAT --> linux firewall
• VPN --> linux can provide this with openvpn or other vpn server
• Logging --> well its part of linux syslog-ng does a good job
• Load Balancing --> haproxy can do that for all http trafic
• SSL offloading --> www.*stunnel*.org/ or nginx

This can be all on 1 server directly connected to the internet if well configure or behind a cisco or juniper firewall. some people on the list will load balance http traffic over 100Mb/sec on 1 normal server hardware ...

It all depends on the size of the object that you will be serving and your configuration....

Good luck !

> I hate adding boxes because your MTBF cuts in half for every component you
> add.
>
> Thanks!
> Christian
>
> On 7/6/2010 3:16 AM, Angelo Höngens wrote:
>
>> On 6-7-2010 10:32, Christian Jensen wrote:
>>
>>> Hi,
>>>
>>> I am setting up a new datacenter and would love to get an opinion...
>>>
>>> We have 3 options:
>>> 1. Build a firewall machine separate from the load balancer machine
>>> 2. Share a machine and have a firewall and haproxy on the same box
>>> 3. Virtualize everything (VMWare, Xen, KVM)
>>>
>>> Please suggest you best choice for firewall if you want - we can use
>>> anything. Also, if you have any decent experience with any hypervisor,
>>> please weigh in there too.
>>>
>>> Thanks!
>>> Christian
>>>
>>
>> "Please suggest a new car for me. I have three options: a pick-up truck,
>> a car with a trailer behind it, or a lorry truck." They can all be used
>> for transporting cargo, and probably do a good job, but I can't make you
>> any suggestions, since perhaps you do other work than I do. :-)
>>
>> I can tell you what we do, based on the work we do..
>>
>> About firewalls: we mainly use cisco firewalls everywhere (they're also
>> good for setting up a site-to-site vpn from your office to your
>> datacenter). We have haproxy, varnish and squid machines behind them.
>>
>> For some high-volume projects we have some balancers attached directly
>> to the net. These balancers have at least 2 network cards, and the
>> 'public' interface only has port 80 open. SSH and other services only
>> listen on the inside interface. In this case you don't really need a
>> firewall to close ports.
>>
>>
>

-- 
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres
Logisoft Technologies inc.  http://www.logisoftech.com
514 576-7638,  http://ca.linkedin.com/in/GuillaumeBourque/fr