Content Switches [7:44742]

Wed, 22 May 2002 14:16:35 -0700 

Both- they call it "sandwich-ing the firewall."

We had call for a design awhile back using the Cisco CSSs (ArrowPoints).
The firewall portion called for us to use the CSSs to advertise the
CheckPoint cluster IP address coming in and going out of the network.

Instead of buying 1 or 2 fire breathing firewalls boxes, the virtual
address/ cluster (along with CheckPoint's ability to share state across
the cluster) allowed us to scale the firewall pool slower and more
affordably.

Internet/ASP--BGP Router--CSS--CheckPoint(s)--CSS--Intranet

With the PIXs and Raptor(Symantec 6.5) boxes, we had to pass a hash
within each packet (again coming in and going out of the network) so
that the CSS receiving the traffic (after it had been processed through
the firewall) could build a state table, allowing it to know which
firewall packets were sent through and which firewall to send them back
through(effectively- keeping track of state across the cluster).  

This is also an alternative to deploying PIXs in a primary and backup
scenario, though it also means you don't get the backup firewall
discount.

                                        Raptor/PIX
Internet/ASP--Router--CSS-----Raptor/PIX--CSS--Intranet
                                        Raptor/PIX

Pretty high level, but this is pretty much how it works.  

Big IP, Nortel's recently purchased Alteon, RadWare, Rainfinity,
StoneBeat, Cisco's CSS, they all will do the job for a price.

All the best !!!
Phil




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jason Forrester
Sent: Wednesday, May 22, 2002 3:41 PM
To: [EMAIL PROTECTED]
Subject: Content Switches [7:44742]

All,

I have a quick question regarding content switches.  Should the content
switched be placed inside or outside of a firewall.  I can not find any
documentation to support which is better.

Thanks,

Jason Forrester
CCIE 8748




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44752&t=44742
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to