I’m investigating using cDome Firewall Virtual Appliance on specialized dedicated Mini PCs / Devices to be used as a full Secure Gateway Router installed at production customer sites.
The feature and capability list of cDFW is impressive and offers an evolution path to enhance customer networks with a full commercial product. Our intention is to replace current network router/gateway instead of using similar devices from some commercial providers. No open-source ware for these customer production environments.
I’m looking to recommend a reference architecture for a set of Secure Gateway Router devices with cDFW installed where the devices are offered in Tiny, Small, Medium, Large, Huge (or similar labels) with increasing capacity and number of users supported depending on the mix of security features activated. Whew! That was a mouthful : )
I need to keep it simple for the Sales Team to grasp and the Sales Engineers to easily mix and match a reference set to specific customer requirements at affordable prices that compete with the larger commercial providers.
Our target customer base has use cases for:
WAN with WAN Failover,
Dedicated LANs for User Desktops (Wired and Wireless access),
Occasionally Servers are on-site, but usually accessed from the Datacenter. If on-site, they are usually on the same LAN as User Desktops,
On-Site PBX and VoIP Devices, sometimes with Session Boarder Controllers,
IP Camera Surveillance with Network Video Recorder with external stream viewing,
Point of Sale equipment and
Local Backup Gear that also stream to the off-site Datacenter (you know, that Cloud Thing.)
There are mixes of these devices for small to larger customers and each may have different allotments of the device types. And we strive to segment the network accordingly. So my recommendation needs to scale to accommodate this range of data throughput.
We are trying to refrain from building a larger PC-ish box to be that secure gateway router. We’d like to have something that resembles the usual router / network gear devices to install at customer sites.
I’ve done some research over the last few days and found a few generic vendors with customizable firewall appliances (with various processors, RAM and Disk configurations) that appear to be adequate candidates and more than meet the minimum requirements as stated for cDFW in the introduction and installation documentation.
I’m reaching out to the community to ask if anyone has any experience or Proof of Concept with similar devices and a set of benchmarks for cDFW at various scalout configurations.
If you’ve made it this far in this rather long post, thanks for reading.
All insight and expertise you can share is greatly appreciated.
What you mentioned can be covered with cDFW. You can prepare USB sticks with the ISO and then boot your hardware with it.
I would recommend that you should scale your hardware boxes based on the number of devices that will go over the firewall. The best would be calculating the throughput required per the network you want to secure. Number of endpoints would help you calculate it roughly. For network peripherals like IP Cameras and such, you can use the same calculation as well. You can also always check for the daily traffic generated per customer via the router and try to calculate concurrent average inbound + outbound data created by your customer network in Mbps.
I would say you should start with a minimum of 2 GB RAM and 2 core x 2 GHz processors. Atom/Celeron like processors can be used for example. For all sizes of boxes you implement, you’d need a minimum of 20 GB disk. Given this is the minimum configuration, you’d be able to carry upto 20-30 endpoints very smoothly. We have seen around 500Mpbs UTM throughput(all features enabled) with such level of hardware.
Next level would be doubling the RAM and the processor for bigger networks. E.G 4GB RAM and i3 processors(2 x 3.5GHz) would help you scale upto covering around 80 endpoints with roughly 1000Mbps UTM throughput.
From this point forward, you can keep scaling by increasing the RAM and using faster processors.
And as an important note, you would at least need 2 NICs, one for LAN one for WAN. But, I would recommend having 4 NICs, LAN,Wi-Fi, DMZ and WAN.
Hope this helps. If you have any additional questions or ideas, I can help.
Hi Bulut, Thanks for the reply and info. It’s much appreciated.
The info you provided for architecture and scaling is just what I needed to complete my review and vendor short list. It is extremely helpful.
I have 2 questions regarding the Processor Feature Capability and Networking Port Interfaces to recommend, which I think devices should contain:
Since cDFW has AES functionality, I’m assuming that it would work best on Intel Processes that have AES-NI Capability? To offload that function to the processor and let it be done by hardware?
I plan on recommending only devices that have Intel Networking Cards and ports. And only the ones from more recent releases such as i210, i211, i219, and i350 families. I’m also assuming cDFW takes advantages of advanced features inherent in these such as RSS queueing capacity. Along this line of thinking I would rule out devices with the older Intel 80000 series Networking Cards, such as the 82583V, since they have been around for a while and Intel has scheduled End of Life for most of them 1H2020. And that the 80000 series would not allow modern firewalls to take advantage of newer networking hardware features. Whew! That was another mouthful.
Thanks for the additional recommendations. Much Appreciated. I now have a clear and total architecture blueprint I can use to recommend a range of devices which scales for increasing capacity and users at a cost effective price point.
Hi @MSP-Joe, Yes. I have a range of devices I’m reviewing depending on use case. They may not be a full “Mini PC” but rather a specialized networking firewall security gateway appliance or device. These usually have 4 or more NIC ports. Although, some Mini PCs may be ok if they have at least 2 ports with one for WAN and one for LAN and you need everything to go through a firewall. In that use case just about any will do depending on sizing for Processor, RAM, Disk Space.
Here is my short list of a few brands and models. These are from my own criteria and my needs.I have not tested all of them and I am not fully endorsing any of them. Your mileage may vary…
These are listed in increasing order of capability. In my view anyway : )
Brand: Qotom Network Firewall Appliances
Models: Q150P-S08, Q330G4, Q350G4, Q370G4Y
They have many models from various config arrangements, bare bones to small, medium, large resource components for Processor, RAM, Disk.
Brand: MITXPC Jetway
Brand: MITXPC Supermicro Mini Server