[nflug] Firewalls

[Brad Bartram]

My recommendation is such:

Plan, plan, plan

You have said a few things that jumped out at me.  First, you have 30+
servers.  Second, you have 6 load balanced web servers. Third, you are
in a period of growth.

This can put you into a perfect storm of either a great situation or a
miserable situation - it really all depends on whether you're a glass
half full or half empty kind of guy.

Realistically, you can put up a linux box and use it to do load
balancing and all sort of neat things.  That's not in question.  What
you need to be concerned with is traffic and throughput.

You have 30 servers, 6 of which are web servers.  What's your
aggregate traffic to those boxes?  How many connections do you see to
each on a given day?  How many simultaneous connections do you see on
average?  What's your average connection length?  What services are
you offering - port 80, 443 - anything else?  Are you fine with
stateful packet filtering or do you need application level filtering?
Do you need VPN - if so, do you have roaming dynamic connections or
site to site?

The $64,000 question - how much will this change in the next 6 months to a year?

Whipping up a firewall is easy, and I have no doubt you can do it with
your eyes closed, but will a homebrew linux firewall be long term cost
effective for your organization?  Will the cost in your time and
equipment necessary to accomodate organizational need be offset by the
savings in comparison to buying a slightly larger than necessary
firewall that will last the next 3 - 5 years.