What AV solution does your Company use - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » What AV solution does your Company use

Page 4 of 5

4

Topic Options

#206158 - 2012-11-08 03:39 PM Re: What AV solution does your Company use [Re: NTDOC]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Doc, Regarding performance of "software" vs "hardware", I can't speak for TMG (they haven't upgraded yet and that's our largest ISA/TMG client), but we used a pair of ISA 2006 firewalls in an NLB configuration at the travel agency HQ. Every user in North America (about 4000 in total) was connected to the HQ site and used the ISA array for content filtering and proxy services. A pair of dual-processor 2.33GHz servers with 4G RAM (32b O/S, as required by ISA) handled an average daytime load of 12,000 transactions per minute each, and rarely ran above 8% CPU load. Note that this is transaction/minute, not packets per second, which would be MUCH higher. In ISA/TMG, a "transaction" is every complete web connection, from initial request to final delivery of all page content, usually many dozens of packets. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#206169 - 2012-11-09 06:49 AM Re: What AV solution does your Company use [Re: Glenn Barnas]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Yes I understand Glenn but it's not really about transactions per minute more so it is how much data per second it can handle. Generally speaking the travel agency is probably mostly doing SQL query transactions which are very small with respect to data size and a bit of graphics, etc. Wikipedia is ranked #6 in the World for traffic and their traffic combined over the year averages just above 4Gbps with peaks just under 8Gbps. That amount of traffic would would be like a DDoS to TMG and ISA Server is not a deep packet analysis server either. Cisco does provide a dedicated device that they claim can manage 4Gbps of analysis in a single device. Passing 4Gbps is fast let alone actually analyzing it and routing it based on the analysis takes a lot of computing power. I admit this is certainly not my area of expertise but basic research seems to show these dedicated boxes way out perform a normal server for intrusion detection and prevention.
Top

#206175 - 2012-11-09 04:15 PM Re: What AV solution does your Company use [Re: NTDOC]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Actually, Doc, that was just web traffic. Nearly every transaction from the agent's desk to the back-end servers is now HTTP. The traffic I referenced above was the external web traffic that agents generated connecting to external booking sites or performing comparative analysis for clients. I was just pointing out that these systems handled several thousand packets per second and over 10K web transasction requests per minute per host without "breaking a sweat". More than enough for most "normal" environments. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#206181 - 2012-11-10 12:54 AM Re: What AV solution does your Company use [Re: Glenn Barnas]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Yep, agreed that most sites can and do run normal servers as part of their perimeter security using software often on either a Windows or Linux server. But dedicated IPS solutions can handle much more traffic per second than a regular server can. Even at my last job years ago they used Unix to protect the perimeter and they had something like 130K desktops. But no longer - almost everything has been switched over to dedicated IPS type units.
Top

#206182 - 2012-11-10 02:18 PM Re: What AV solution does your Company use [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Originally Posted By: Lonkero back to arend's comment, isn't your pc a hardware device. so if you have winxp firewall turned on, you have a hardware firewall? again, that definition is so vague that it has no meaning. Technically a PC running a firewall as an addition to the OS is a software firewall. A hardware firewall is a device dedicated for this purpose alone. For instance this is the kind of firewall I´m talking about Draytek Vigor 2950
Top

#206184 - 2012-11-10 04:33 PM Re: What AV solution does your Company use [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	I understand where you are coming from. but the word technically doesn't fit to your description. but if you add few words it does. all firewalls have an OS. as long as the OS is dedicated to running the firewall software and other duties as firewall, it just technically doesn't fit. I know I am splitting hairs, but the whole discussion is about splitting hairs. in many cases firewalls running on full linux distro or windows do better job than ones deployed as "real firewall" the form of the chassis might look cool when it's 1U rackmountable but doesn't... shouldn't bring any confidence in the security or performance. _________________________ ! download KiXnet
Top

#206185 - 2012-11-11 11:42 AM Re: What AV solution does your Company use [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Well as long as we are splitting hairs, I´m right, the term "hardware firewall" refers to a device (yes with a small OS) that is dedicated for soul purpose of firewall activities. I disagree with your opinion that the ones on a full OS generally do a better job, while that's up for debate, the full OS has a lot more vulnerabilities which make them unfit for the job :-) Linux based firewalls I always prefer, most hardware firewalls generally are. And like SUSE (when you choose to install with only modules of your choosing) the OS is build with ONLY the necessary modules and component to do the job (in this case firewall). Which leaves much less margin for error.
Top

#206186 - 2012-11-11 04:22 PM Re: What AV solution does your Company use [Re: Arend_]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Lonkero, Arend, I think that you are both essentially agreeing on the same thing, you are just using different terminology. A better way to explain it would be this: A hardware firewall i just a piece of equipment that has the sole (not soul Arend) task of performing firewall duties and no other functions such as browsing the internet, checking your email etc. All devices contain a cpu, hard drive etc, the difference is the use the equipment is put to, rather than what it is inside the box ! Hence a software firewall would be like windows 7 firewall, where the computer does perform firewall functions in addition to many other things like Internet browsing, checking your email, arguing with people on kixtart ha ha ! The difference between a hardware firewall such as the infamous Cisco Box that Doc owns and the type of firewall that I am going to build - i.e. A slackware box that will provide the firewall functions that I want would be two things. Customisability and Power of the computer. The problem with the Cisco is because its contained within a small enclosure, it must obey the laws of physics and be built to reduce heat output, so as such it will have a slower CPU, slower hard drive so in practice cannot be as fast as a normal sized computer box which could have a more powerful cpu and faster hard drives etc, because the enclosure has capacity to cool the computer down. The second issue with the Cisco box is you are limited to customising whatever that small OS is capable of doing. so if the Cisco box doesn't support the feature, you're screwed. These two advantages are why I would go with my Slackware Box which is a server based Linux distro. Arend and Lonkero, I think that you are both in agreement in that when Lonkero is talking about a full OS, I think he means something like Slackware or your Suse box, not a windows 2008 server which installs loads of things that you don't need for the firewall. Slackware is so customisable with the installation, that you can virtually install just a command shell, with a very small gui to do whatever it is you need to setup your firewall. I don't think that anyone is implying that its desirable to setup windows 7 with a firewall program and call that a hardware firewall ! Because Arend is right, the more programs that get installed onto the OS and the bigger the OS, the more security holes there would be. A good way to settle this issue, is to find some website or program that you can use to test your firewall and AV and content filtering and see how well it passes the test.
Top

#206188 - 2012-11-11 06:24 PM Re: What AV solution does your Company use [Re: Robdutoit]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	although firewall appliances sometimes come with slower cpu they can still beat PC based systems in speed thanks to accelerator chips for things like encryption. the newer CPU's are starting to be fast enough for this not to be the case, but for example larger network topologies routed IPSEC VPNs used to choke CPUs easy... I must also argue that windows can have firewall software that makes it as much harware appliance as a linux distro. you just told that you are going to install GUI in yours. and lastly, I have ciscos currently too. not because I like it, but it's one of those names that on this continent seem to be synonymous for stuff. firewall equals cisco in lot of ppls minds, just like server equals IBM. and I am a bit bitter about this because I know that stuff could be done way better without this "curse" otherwise, yea, our difference in opinion is rather non-existent or at least really minute. and arend, full OS can mean lot of thinks. firewalls based on some sort of linux kernel have their own full OS in them. and lot of times, you can open the appliance and push your own in there. windows server core is a full OS but comes with way less overhead than normal winserver install. again, I think we don't disagree that much in how we think about this. I just disagree with how you write it $;\)$ _________________________ ! download KiXnet
Top

#206190 - 2012-11-11 10:28 PM Re: What AV solution does your Company use [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Rob, yeah I know it's sole and not soul, just a Freudian slip so to speak $;\)$ When I mentioned SuSE in my previous explanation it was because SuSE allows for a internet based installation where you only install what is needed ans not a thing more. Has nothing to do with the distro itself. Apart from that Lonk and I usually have these type of discussions, we both are right but we love to split hairs $;\)$ Lonk, you know as well as I do that when I mention a "full OS" that I mean the basic installation of the distro media. I know we agree, I just disagree with how you read it $;\)$ Btw, since we're on the subject, there are a lot of VMware Appliances nowadays that cover the role of firewall with minimalistic OS's even smaller then the "hardware firewalls". I'll call them Virtual Firewalls for now that don't have the CPU/MEM boundaries of the hardware variants $;\)$ But the downside is that you have to configure your Hardware internet access to get to it NAT/Open ports etc. $;\)$
Top

#206191 - 2012-11-11 10:31 PM Re: What AV solution does your Company use [Re: Arend_]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Besides I'm waiting for Bjorn to step into this conversation cos this is really his field of expertise.
Top

#206192 - 2012-11-11 10:42 PM Re: What AV solution does your Company use [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	his expertise is volvo's and motorcycles, the small ones $;\)$ _________________________ ! download KiXnet
Top

#206193 - 2012-11-11 10:56 PM Re: What AV solution does your Company use [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Hahaha, well he has got a proper motorcycle and more importantly he can drive it properly $;\)$ Not as good as my motorcycle though $;\)$ But his expertise IS internet security!
Top

#206194 - 2012-11-12 06:47 AM Re: What AV solution does your Company use [Re: Arend_]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	I've spent a couple of mins trying to get the hang of what you've been chatting about (this is an oooold thread :P ). To start with defending myself, I know nothing about volvos (but I do know some of their infrastructure :p) , and sadly not much about smaller motorcycles ;). I have to agree with Arend on the term of the description for a hardware firewall - it's purpose built. A sole firewall simply allows or drop/rejects packets at the specific OSI level (transport layer), SPI features where included in this segment. Most firewalls now tho got UTM features, pushing it up to the application level, making 'em aware of ie content, meaning they can identify the content type as well, and also granting logic for (N)IDS/(N)IDP. If you're talking with a sales person, they'd sell you a NG firewall, because it has added features when it comes to the UTM department, and is, well, usually also stacked with proxy features... Still, they are purpose built, dedicated boxes (some release it as vm's..) etc. I've already been sniffing on this, but when it comes to 0-day stuff, it's either related to IDS/IPS features, or AV-feats in a UTM fw. This is the part that does the actual identification on what kind of traffic, may it be binaries that traverse through the network. A ISA server for example is not purpose built, neither is a Linux system installation - since it's not "bare metal". Hardware firewalls, at least most of the more high end segment today comes with off-loading chips that accelerate traffic once it been identified. Giving them a great benefit over fw's where packets still have to be handled by the kernel/network stack. Edit: Now, I know someone might argue that the ISA is purpose built, but since it's such a poor implementation, and not something you ever should put facing a WAN, I do wanna highlight that MS might wished it was, but I can't see how it ever could be.. A "NAT" box, well, now we've talking routing features. This is related to UTM fw's/NG fw's. Here's the thing - a good device is a device that you fully understand and can manage/prevent with. There is (expensive) stuff you can buy now that actually can act as a MiTM device and run all non identified binaries etc before they hit your org (or rather, it can be run at the same time as it's "original", giving the sysadmin a PoC of the effects of it, if it's deemed as possible malware/etc). And it gives you a full report of what it did ;). Do remember, a "correct" segmented and filtered LAN wins over the best and most powerful FW, just granting every direction and every source a full out communication with the world. Not sure what I am expected to add to the discussion here :p. But nice to see so many of you alive! $;\)$ Edited by Björn (2012-11-12 09:57 AM) Edit Reason: Added some ISA nonsense. _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#206198 - 2012-11-12 02:08 PM Re: What AV solution does your Company use [Re: Björn]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	swedish... Björn (I switched my kb to finnish just to write your name right :)) Arend's definition differs from yours. Arend said it can't be PC. is this what you mean when you say purpose built? you say they are purpose build "boxes", and then you say these boxes can be VM's. so they are not build at all but ran inside the full OS of some other kind, even further away from the definition of dedicated purpose built "box" and then you go on writing linux based firewalls and isa are not purpose build since they are not bare metal. but the VM in your previous comment is a bare metal? and yet again, that vm is running under windows or linux based host. you get more bare metal taking a PC and installing linux on it with kernel optimized for this kind of stuff. about your comment on firewalls and transport layer. that might have been the case in 80's and early 90's but all today's firewalls should work on application level. if they don't it's like using fax instead of email or 28k modem in place of anything faster as they both do communication in a way that fits the definition of "communication". _________________________ ! download KiXnet
Top

#206205 - 2012-11-12 09:10 PM Re: What AV solution does your Company use [Re: Lonkero]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	I wish I had never brought the topic of firewalls up. Now I don't know whether I should go ahead with my slackware box or if that isn't going to be secure enough. Whats a poor guy to do?
Top

#206206 - 2012-11-13 01:47 AM Re: What AV solution does your Company use [Re: Robdutoit]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	It will be fine Rob - nothing is foolproof or 100% secure. Given enough time anything can be compromised.
Top

#206207 - 2012-11-13 04:37 AM Re: What AV solution does your Company use [Re: NTDOC]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	agreeing with doc. along the lines anything is possible... _________________________ ! download KiXnet
Top

#206208 - 2012-11-13 09:09 AM Re: What AV solution does your Company use [Re: Lonkero]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1896 Loc: Hilversum, The Netherlands	Rob, your slackware box should be more then sufficient, don't worry $\:\)$
Top

#206211 - 2012-11-13 02:02 PM Re: What AV solution does your Company use [Re: Arend_]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	a simple rule is not to allow direct access to the box itself in any way from the outside. and another one is to add a "trap port" from well known ports, like ssh, telnet or ftp or something that anything trying to connect to those gets blocked for five or so minutes. effectively "frustrates" any port scanners and blocks most security scanning tools $\:\)$ _________________________ ! download KiXnet
Top

Page 4 of 5

4

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1574 anonymous users online.

Newest Members

BeeEm, min_seow, Audio, Hoschi, Comet
17882 Registered Users

Generated in 0.089 seconds in which 0.043 seconds were spent on a total of 14 queries. Zlib compression enabled.

click tracking