Greetings,
I'm considering replacing my software firewall (Microsoft ISA Server)
with a hardware firewall. Someone that I respect has recommended SonicWall.
Here is my scenario. Could you tell me if SonicWall is appropriate?
- The SonicWall will be in a co-location facility, so it needs to be
rack-mountable.
- There will be very few outbound connections, but a lot of inbound
connections -- possibly as many as 20,000 simultaneous inbound TCP
connections at any given time. Will SonicWall handle this load with no
problem?
- I need VPN capability between two branch offices, both of which will
have internal addresses (192.168.0.*). I don't mind buying two SonicWalls,
one for each office. The goal here is that serverA with IP address
192.168.1.5 can route to serverB in another office at IP address
192.168.2.50.
- I will need to bind up to three public IP addresses to the external
interface of the SonicWall. The reason for this is that I may have up to 3
internal servers which need to listen for connections on the same port.
- ...and this is the tough one, the one that most firewalls can't seem
to handle properly. I need to run an FTP server behind the firewall. The
clients of this FTP server will *always* be running in passive mode. You
know the usual passive FTP routine: The first connection comes on port 21
and is forwarded to the internal FTP server. The FTP server then uses a PORT
command to tell the client which address/port to use for the secondary
inbound connection. Since the FTP server is internal, it will typically tell
the client, "ok, connect back to me at 192.168.1.56, port 8976 (for
example)." Since 192.168.1.56 is non-routable, the secondary inbound
connection fails. The ISA firewall handles this situation gracefully because
it has an "FTP application filter" which looks for my FTP server's PORT
command and transparently changes the internal address in the command to be
the external address of the firewall and then opens the appropriate port for
the duration of the session. So my question is: Does SonicWall have this
capability?
I've tried cruising their site to answer some of these questions on my
own but am overwhelmed by the number of different models and all of the
jargon and acronyms.
Thanks for the info,
David
I'm considering replacing my software firewall (Microsoft ISA Server)
with a hardware firewall. Someone that I respect has recommended SonicWall.
Here is my scenario. Could you tell me if SonicWall is appropriate?
- The SonicWall will be in a co-location facility, so it needs to be
rack-mountable.
- There will be very few outbound connections, but a lot of inbound
connections -- possibly as many as 20,000 simultaneous inbound TCP
connections at any given time. Will SonicWall handle this load with no
problem?
- I need VPN capability between two branch offices, both of which will
have internal addresses (192.168.0.*). I don't mind buying two SonicWalls,
one for each office. The goal here is that serverA with IP address
192.168.1.5 can route to serverB in another office at IP address
192.168.2.50.
- I will need to bind up to three public IP addresses to the external
interface of the SonicWall. The reason for this is that I may have up to 3
internal servers which need to listen for connections on the same port.
- ...and this is the tough one, the one that most firewalls can't seem
to handle properly. I need to run an FTP server behind the firewall. The
clients of this FTP server will *always* be running in passive mode. You
know the usual passive FTP routine: The first connection comes on port 21
and is forwarded to the internal FTP server. The FTP server then uses a PORT
command to tell the client which address/port to use for the secondary
inbound connection. Since the FTP server is internal, it will typically tell
the client, "ok, connect back to me at 192.168.1.56, port 8976 (for
example)." Since 192.168.1.56 is non-routable, the secondary inbound
connection fails. The ISA firewall handles this situation gracefully because
it has an "FTP application filter" which looks for my FTP server's PORT
command and transparently changes the internal address in the command to be
the external address of the firewall and then opens the appropriate port for
the duration of the session. So my question is: Does SonicWall have this
capability?
I've tried cruising their site to answer some of these questions on my
own but am overwhelmed by the number of different models and all of the
jargon and acronyms.
Thanks for the info,
David