[ previous ] [ next ] [ threads ]
 From:  Tor Bechmann Sorensen <tor at studentergaarden dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Is a m0n0wall the right choice for my institution?
 Date:  Wed, 29 Jun 2005 19:50:01 +0200
As I have mentioned before, I am in the process of setting up a firewall 
for a small institution, for which I work as a part time "IT-person".

I have been telling the decision makers, that a "software-firewall" 
(i.e. m0n0wall) seems to be a viable alternative to a 
"hardware-firewall" (i know these terms are flawed) in our case, since

    1) it only requires a minor investment and thus no risk in that 
sense (if we decide move to a different solution later we will not be 
bound by a large investment in hardware),
    2) since management of the firewall would be just as easy as with a 
    3) since it would provide us with more flexibility for future needs 
(we'll be moving a lot and our needs may expand),
    4) working with something I like, will make me more likely to enjoy 
my job (I know I'm lucky, my employers actually care ;), and
    5) since I think that I can provide the same uptime, and the 
necessary performance with a m0n0wall.

I have however, based on the information that I have been able to find, 
started worrying if 5) is really true.

I am hoping someone here with more experience than myself can help me 
judging whether 5) is true.

Also, our consultants is pressing for us to upgrade our novell server 
and let them install a novell bordermanager firewall. I don't have much 
factual knowledge of whether bordermanager is a good solution for us or 
not. However having the firewall as a piece of software on the server 
does not seem right. Also, I am not too happy about the Novell servers 
(too complex and buggy, feature overkill for our needs). And, I don't 
think that it is in the best interest for the institution' that we are 
in fact dependent on Novell and these consultants. But on the other hand 
I can't provide a complete alternative solution as of now, and I need to 
work together with these consultants, so I need to have good 
(constructive) arguments ready, if I am to install a m0n0wall.

The requirements:

UPTIME. Although not critical, uptime is a priority for the institution, 
since the employees communicate daily with other institutions via email. 
I will not be available to troubleshoot the m0n0wall all the time, so I 
have planned to have an extra m0n0wall handy (even if I install on a 
Soekris or WRAP) in case the primary goes down for some reason, and to 
instruct someone how to turn one off and the other on. Ideally, I would 
like them to dynamically fail-over, but that doesnt seem to be an 
available option now. I've been made aware of pfsense (thanks Holger), 
but I can't use alpha software, so while this might be an option in the 
future, it isnt an option now.

NORMAL PERFORMANCE. We have 30-40 employees on the same amount of 
windows XP machines. We do not generate much traffic (probably I'm 
responsible to the majority of the traffic <grin>), so we nowhere near 
saturate our 10mbit line, so on this point I am fairly confident that 
any m0nowall will handle the traffic. We'll be using many-to-one NAT on 
the connection with portforwarding for the mail server etc., or perhaps 
do something like a filtered bridge, since we actually have plenty of 
IP-adresses available, which as far as I can see is perfectly within the 
performance capability of m0n0wall. I'm a bit worried whether, on longer 
terms, IP-telephony might cause the Soekris to become obsolete, but then 
again, the minor investment connected with a m0n0wall justifies not 
being too farsighted as to what performance we will need in the future.

VPN. We are in the process of enabling people to work from home, so VPN 
is a requirement for our firewall. I don't expect more than 10-20 
concurrent connections in the near future (guesstimate), with each user 
doing word processing on documents on our fileserver, from home, 
checking email, minor surfing, occasional larger filetransfer, for 
instance video material, to and from the fileserver.

I need your help in assessing what this translates to in performance 
requirement to the VPN part of m0n0wall.

I'm leaning towards installing m0n0wall on two Soekris 4801, since WRAPs 
does not seem to be available at the moment. But, judging from the 
information that I have been able to find on this mailing list and in 
Manuel Kasper's performance benchmarks, the Soekris does only provide 
about 2mb/s of throughput for VPN, and I am worried about whether this 
is enough for our needs. Again I need help judging whether this is 
enough. And I dont think the spare PC-hardware, that I have available 
will fare any better (amd k-6 or pentium 2 based machines) as a m0n0wall 
box. VPN performance is my main concern as to whether a m0n0wall will 
cut it.

So, I hope I've described what I need help to do in an understandable 
way, and that You'll reward my efforts with some help to further a good 
cause ;)

Tor Bechmann Sorensen