Introduction to Hardware Firewall

Overview

SoftLayer’s Hardware Firewall offerings provide customers with an essential layer of security that is provisioned on demand without service interruptions.  The Hardware Firewall services prevent unwanted traffic from hitting your servers, reducing your attack surface and allowing your server resources to be dedicated for their intended use.

Hardware Firewalls are available as an add-on feature for all servers on the SoftLayer public network.

 

SoftLayer Hardware Firewalls

SoftLayer's Hardware Firewalls are network devices that are connected upstream from the server environment (pod) blocking unwanted traffic before it reaches your server.  All Hardware Firewalls are built on enterprise grade hardware firewall appliances and customers choose between the Shared Firewall, Dedicated Firewall, and Fortigate Security Appliance based on their specific performance and feature requirements.  Hardware Firewalls can be added at any time without the need to re-IP the server and can be activated instantly.  Since monthly server bandwidth is recorded at the server switch port, traffic blocked by the Hardware Firewall is not counted against your monthly allotments eliminating the need to pay for unwanted traffic.

 

Hardware Firewall (Shared)

Intended Use: Single Server Primary IP Protection

User Interface: Integrated into SoftLayer Control Portal and SoftLayer API

Features: Stateful Packet Inspection, Ingress Firewall Rules, IPv4, IPv6, Basic Logging

Throughput: 10Mbps, 100Mbps, 1000Mbps, or 2000Mbps (It is required that the throughput of Hardware Firewall (Shared) instance match the Uplink speed of the Server the firewall is being added to)

The Hardware Firewall (Shared) leverages a multi-tenant enterprise platform to protect an individual server.  It can be purchased with the server or added on later.  It delivers virtualized network security through its Virtual Domain (VDOM) technology, providing virtualized security domains that are separately provisioned and managed.  Because there are multiple customers associated with the hardware, if the firewall fails or is overwhelmed by an attack, every customer that shares a Hardware Firewall (Shared) instance may be impacted.  Up to 79 firewall rules can be configured for the for the primary and statically routed IP addresses assigned to the server.  Reports for Shared Firewalls are available based on the activity of a single IP for a selected date range.

 

Hardware Firewall (Dedicated)

Intended Use: Single Public VLAN Protection

User Interface: Integrated into SoftLayer Control Portal and SoftLayer API

Features: Stateful Packet Inspection, VLAN Protection, Ingress Firewall Rules, Basic Logging, IPv4, IPv6, High Availability (Optional)

Throughput: 2000Mbps

The Hardware Firewall (Dedicated) leverages a dedicated single-tenant appliance to protect any or all servers on a public VLAN.  It is purchased separate from a server order and can be added to a public VLAN at any time.  Firewall rules can be applied on a per-IP or per-subnet basis.  High availability can also be ordered which provides two appliances in active-passive deployment with synchronized configurations.

 

Fortigate Security Appliance

Intended Use: Single Public VLAN Protection

User Interface: Fortigate GUI and Command Line Interface

Features: Stateful Packet Inspection, VLAN Protection, Ingress Firewall Rules, Egress Firewall Rules, NAT, SSL VPN Termination, IPSec VPN Termination, Advanced Logging, High Availability (Optional)

Throughput: 2000Mbps

A Fortigate Security Appliance (FSA) is a dedicated single-tenant network device that is connected upstream from a server and protects any or all servers on a public VLAN.  It is purchased separate from a server order and can be added to a VLAN at any time.  SoftLayer deploys the 300 series Fortigate Security Appliance within a Virtual Domain (VDOM) on the dedicated appliance allowing customers full access to that virtual domain without compromising the integrity of the device.  Customers have virtually full access to advanced features and the ability to fine tune the device to a much higher degree than other products.  The firewall blocks or shapes traffic before the traffic ever reaches the server. The main advantages are that a server only has to handle 'good' traffic and that bandwidth can be constrained for less critical communications.  Customers can manage the FSA either through the web based FortiOS GUI or the CLI (Command Line Interface) via SSH.  High availability can also be ordered which provides two appliances in active-passive deployment with synchronized configurations.

 

Related Products and Services

Network Gateway Device

Related Features: Software Router, Multi-VLAN Management, Public/Private VLAN Management, VPN, BYOIP

 

Citrix Netscaler

Related Features: WAF, Local Load Balancing, Global Server Load Balancing, SDN