I've worked in a top tier datacenter for about 8 years, both sales engineering and support engineering.
Over time, we've settled on avoiding firewalls if the only use is something simple like blocking all and allow port 80. Instead we've prefered managed switches with an Access list.
The reason is because for the money, you can get a managed switch that is going to be much faster at managing traffic flow. Even with rather expensive Junipers, when it comes to any kid of attack, it's not bandwidth that chokes out the firewall, it's sessions. Since manage switches don't usually have such a limitation and filter traffic on a lower layer, the switches can handle massive amounts of sessions (such as those spun up during an attack) when compared to a firewall.
I know that bigger firewalls can handle more sessions than cheaper ones, but many of our customers have servers that are simply hosting websites and don't need anything more than a 'deny all, allow 80' type of rule. We can get the session capacity and throughput needed for the customer at a much lower price point with a managed switch than a multi purpose firewall.
Does this make sense? I've been working on the sales side of things for the past few years so I'm starting to lose grip on the technical aspects and I want to make sure I'm understanding this properly.
Over time, we've settled on avoiding firewalls if the only use is something simple like blocking all and allow port 80. Instead we've prefered managed switches with an Access list.
The reason is because for the money, you can get a managed switch that is going to be much faster at managing traffic flow. Even with rather expensive Junipers, when it comes to any kid of attack, it's not bandwidth that chokes out the firewall, it's sessions. Since manage switches don't usually have such a limitation and filter traffic on a lower layer, the switches can handle massive amounts of sessions (such as those spun up during an attack) when compared to a firewall.
I know that bigger firewalls can handle more sessions than cheaper ones, but many of our customers have servers that are simply hosting websites and don't need anything more than a 'deny all, allow 80' type of rule. We can get the session capacity and throughput needed for the customer at a much lower price point with a managed switch than a multi purpose firewall.
Does this make sense? I've been working on the sales side of things for the past few years so I'm starting to lose grip on the technical aspects and I want to make sure I'm understanding this properly.
