Converting a Cisco IronPort to a overkill home router.



Background

When i started researching for a new firewall I had my current firewall (pfsense) virtualized. This can work in many environments but the reason it couldn't work in mine was I didn't have a High Availability environment. This means if any part of my server infrastructure went down, I lost internet for all devices. I kept restarting my server for some testing so it became very inconvenient.

My quest for a better solution began. I decided to figure out what i needed from a firewall/router. After some time researching options and configurations, i came to a handful of requirements.

1. Compatibility with an Open Source firewall (Pfsense, Opensense)
2. Rack Mountable
3. Small(ish)
4. Expandable.


The chosen one

There were several first choices when picking a router. The usual like an r210 II or a whitebox build like serverbuilds.net.   These are both very great options but they both have their own downfalls, the R210 is a full blown server and the whitebox would cost more to make rackmount. Then JDM suggested the HP 290 but although it was extremely energy efficient it was a bit bigger than preferred and not rack mountable.

The search continues

With the above choices out of the round up i continued looking for more options. I came across several more USFF options like the generic intel PCs,   an PCEngines APU and a few others.

Many of these options are awesome just for the highly efficient factor alone. Thinking back it's amazing how far computers have come in just 10 years.  But they either weren't expandable, or just didn't have great compatibility to  PFSense or OPNsense.


After feeling like I've exhausted my options i came across a post on reddit about using an Cisco Ironport for a home router. These were originally built for advance web threat detection and monitoring for up to 1,500 users. They allegedly were able to detect Zero Day exploits and because of the major footprint cisco has on the world of networking they are able to analyze 100s of terraybytes of data and filter out malicious software and exploits.

Overall these were built for a purpose and that purpose required some pretty strong hardware. Acording to several forum posts they are based on the same board as the ASA 5525 but missing a few chips that allowed more nics. The Ironport s170 to the core is a mini server. It has 4GB ram and a pentium. Both are upgradable, the ram to 32GB and the cpu has plenty of options including a variety of Xeons and a few i3/5 if AEs-ni are needed.

The final Test




After seeing that the Ironport crosses off all my needs and wants, I decided to buy one off of ebay. And at that moment I was in the final leg of the race. I was ready to get this up and running, but I had to solve a  small problem, it didn't have a video output and the console wasn't cooperative. Fortunately it had a header on board that I could "convert" to a vga output.

After hooking up a converter I was able to get the install going. I chose OPNSense over Pfsense mainly because of the whole AES-NI debacle, but that's a whole post itself. The install was pretty straight forward and didn't require anything special, however I did only install on one ssd, but with two you should be able to just select a raid 1 from OPNsense.

Conclusion

Overall I'm pretty impressed with what this little thing can do and it's only under $100 used. You can't find anything else that comes close to this within the price point. Plus you don't have to buy any additional hardware like a quad nic or a shelf to rack mount. In additon, if you wanted too, you can probably add some more ram and stronger processor and you have a pretty good hypervisor host.

Comments

Post a Comment

Popular posts from this blog

I just made my first options trade on Robinhood

I just made my first Options Trade on Robinhood. What is Robinhood? Robinhood has been in the press lately, and even closed another round of funding  making the founders billionaires . What it essentially does is let the average Joe/Jane off the street to buy and sell stocks with no barrier except a smartphone app. This has let millions of people participate in the stock market when it wasn't possible before.  What is Options Trading? In a nutshell Options allow you to buy or sell a stock at a certain price, but is not required. Let's say I thought apple(AAPL) was going to be above $200 in 1 year, I would then put a Buy (Call) option in for AAPL at 1 year for $200 a share. A year after putting the option in, AAPL is at $215 a share, but because I bought an option at $200 i profited $15.  Of course there is more to it than that, but I won't get into it. If you want to learn more about options trading I suggest starting with this article . The Experience
Read more

How we sped up a Postgresql procedure 50X

Image
  Introduction   What I'm about to explain may seem rudimentary to a DBA but it was over looked by our distinguished engineer. And once you learn the inner workings it's a "duh" kinda moment where you look back and wonder why you didn't see it. What is a Postgres procedure   Let's start with the basics. There are postgresql functions and procedures. The major differences between the two is that functions returns a result while a procedure does not. In addition to the return differences, you Select a function but Call a procedure.   Diving into the specifics, a function is almost like a function in any other programming language. It takes inputs and can manipulate it or use it in a sql statement.     Adding two numbers that are fed as inputs: 1 2 3 4 5 6 7 CREATE FUNCTION add_numbers (first_number integer , second_number integer ) RETURNS integer LANGUAGE SQL IMMUTABLE AS $$ SELECT $ 1 + $ 2 ; $$ ;   Taking two inputs and inserting
Read more

Enhancing connectivity from AWS to my on-premise network

Image
    A little background If you just want to read how to set it up click here   I've been using AWS for nearly 4 years now, soon after starting college. By the way, if you're not aware, AWS offers $100 credit on top of the extremely generous free tier, watch out for a blog post about this. But recently I've been setting up more advanced environments and fine tuning my process that makes it almost necessary to have a direct link to AWS. The problem of advancing infrastructure. Recently I've been using Saltstack to coordinate spinning up and setting up different EC2 instances. As my salt master is on premises this introduced a unique challenge, I needed to have my minions communicate with my  masters but that required opening up ports to my firewall . Obviously this solution wasn't a great one at all as any open ports means the increasing the attack surface. Now of course I could open it only to certain source IPs but when you're constantly spinnin
Read more