Announcement

Collapse
No announcement yet.

Info on cDome Firewall Usage on Physical Mini PC Device as Full Secure Gateway Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Info on cDome Firewall Usage on Physical Mini PC Device as Full Secure Gateway Router

    Hi,

    I'm investigating using cDome Firewall Virtual Appliance on specialized dedicated Mini PCs / Devices to be used as a full Secure Gateway Router installed at production customer sites.

    The feature and capability list of cDFW is impressive and offers an evolution path to enhance customer networks with a full commercial product. Our intention is to replace current network router/gateway instead of using similar devices from some commercial providers. No open-source ware for these customer production environments.

    I'm looking to recommend a reference architecture for a set of Secure Gateway Router devices with cDFW installed where the devices are offered in Tiny, Small, Medium, Large, Huge (or similar labels) with increasing capacity and number of users supported depending on the mix of security features activated. Whew! That was a mouthful : )

    I need to keep it simple for the Sales Team to grasp and the Sales Engineers to easily mix and match a reference set to specific customer requirements at affordable prices that compete with the larger commercial providers.

    Our target customer base has use cases for:
    • WAN with WAN Failover,
    • Dedicated LANs for User Desktops (Wired and Wireless access),
    • Occasionally Servers are on-site, but usually accessed from the Datacenter. If on-site, they are usually on the same LAN as User Desktops,
    • On-Site PBX and VoIP Devices, sometimes with Session Boarder Controllers,
    • IP Camera Surveillance with Network Video Recorder with external stream viewing,
    • Point of Sale equipment and
    • Local Backup Gear that also stream to the off-site Datacenter (you know, that Cloud Thing.)
    There are mixes of these devices for small to larger customers and each may have different allotments of the device types. And we strive to segment the network accordingly. So my recommendation needs to scale to accommodate this range of data throughput.

    We are trying to refrain from building a larger PC-ish box to be that secure gateway router. We'd like to have something that resembles the usual router / network gear devices to install at customer sites.

    I've done some research over the last few days and found a few generic vendors with customizable firewall appliances (with various processors, RAM and Disk configurations) that appear to be adequate candidates and more than meet the minimum requirements as stated for cDFW in the introduction and installation documentation.

    I'm reaching out to the community to ask if anyone has any experience or Proof of Concept with similar devices and a set of benchmarks for cDFW at various scalout configurations.

    If you've made it this far in this rather long post, thanks for reading.

    All insight and expertise you can share is greatly appreciated.

    Regards,
    MikeTib
    MikeTib
    Technologist and Cloud Services Architect, occasionally
    http://www.MikeTib.com

  • #2
    hi MikeTib,

    What you mentioned can be covered with cDFW. You can prepare USB sticks with the ISO and then boot your hardware with it.

    I would recommend that you should scale your hardware boxes based on the number of devices that will go over the firewall. The best would be calculating the throughput required per the network you want to secure. Number of endpoints would help you calculate it roughly. For network peripherals like IP Cameras and such, you can use the same calculation as well. You can also always check for the daily traffic generated per customer via the router and try to calculate concurrent average inbound + outbound data created by your customer network in Mbps.

    I would say you should start with a minimum of 2 GB RAM and 2 core x 2 GHz processors. Atom/Celeron like processors can be used for example. For all sizes of boxes you implement, you'd need a minimum of 20 GB disk. Given this is the minimum configuration, you'd be able to carry upto 20-30 endpoints very smoothly. We have seen around 500Mpbs UTM throughput(all features enabled) with such level of hardware.

    Next level would be doubling the RAM and the processor for bigger networks. E.G 4GB RAM and i3 processors(2 x 3.5GHz) would help you scale upto covering around 80 endpoints with roughly 1000Mbps UTM throughput.

    From this point forward, you can keep scaling by increasing the RAM and using faster processors.

    And as an important note, you would at least need 2 NICs, one for LAN one for WAN. But, I would recommend having 4 NICs, LAN,Wi-Fi, DMZ and WAN.


    Hope this helps. If you have any additional questions or ideas, I can help.
    Last edited by bulut; Yesterday, 11:32 PM.

    Comment


    • #3
      Hi Bulut, Thanks for the reply and info. It's much appreciated.

      The info you provided for architecture and scaling is just what I needed to complete my review and vendor short list. It is extremely helpful.

      I have 2 questions regarding the Processor Feature Capability and Networking Port Interfaces to recommend, which I think devices should contain:

      1) Since cDFW has AES functionality, I'm assuming that it would work best on Intel Processes that have AES-NI Capability? To offload that function to the processor and let it be done by hardware?

      2) I plan on recommending only devices that have Intel Networking Cards and ports. And only the ones from more recent releases such as i210, i211, i219, and i350 families. I'm also assuming cDFW takes advantages of advanced features inherent in these such as RSS queueing capacity. Along this line of thinking I would rule out devices with the older Intel 80000 series Networking Cards, such as the 82583V, since they have been around for a while and Intel has scheduled End of Life for most of them 1H2020. And that the 80000 series would not allow modern firewalls to take advantage of newer networking hardware features. Whew! That was another mouthful.

      Thanks again for your insight.

      Regards,
      MikeTib
      MikeTib
      Technologist and Cloud Services Architect, occasionally
      http://www.MikeTib.com

      Comment


      • #4
        Originally posted by MikeTib View Post
        Hi Bulut, Thanks for the reply and info. It's much appreciated.

        The info you provided for architecture and scaling is just what I needed to complete my review and vendor short list. It is extremely helpful.

        I have 2 questions regarding the Processor Feature Capability and Networking Port Interfaces to recommend, which I think devices should contain:

        1) Since cDFW has AES functionality, I'm assuming that it would work best on Intel Processes that have AES-NI Capability? To offload that function to the processor and let it be done by hardware?

        2) I plan on recommending only devices that have Intel Networking Cards and ports. And only the ones from more recent releases such as i210, i211, i219, and i350 families. I'm also assuming cDFW takes advantages of advanced features inherent in these such as RSS queueing capacity. Along this line of thinking I would rule out devices with the older Intel 80000 series Networking Cards, such as the 82583V, since they have been around for a while and Intel has scheduled End of Life for most of them 1H2020. And that the 80000 series would not allow modern firewalls to take advantage of newer networking hardware features. Whew! That was another mouthful.

        Thanks again for your insight.

        Regards,
        MikeTib
        hi MikeTib,

        Our users have been using cDFW with Intel processors for a long time and they were happy about it, so I would recommend it with confidence.

        AES-NI would definitely increase the throughput and I would recommend that as well.

        Comment

        Working...
        X