1999-03-23-20:06:20 [EMAIL PROTECTED]:
> I've been having trouble finding reliable information about scalable,
> high-availability firewalls and was hoping some people here may be able
> to give me some direction.
I'm sure you'll be able to get all the different directions you could possibly
want hereabouts. For some reason a line keeps going through my head, "a point
in every direction is the same as no point at all".
> - The firewall will be protecting an externally hosted web service we're
> developing. High security and high reliability are essential.
> - The traffic passing through the firewall will be 95% inbound SSL3
> encrypted web traffic. The remainder would be outbound DNS queries and
> SMTP traffic, and a small amount of inbound management traffic (VPN or
> SSH).
> - The system must be able to accommodate T3 levels of traffic (45Mbps).
> - The system must have redundancy/failover capabilities.
> - The system should provide good logging & auditing capabilities.
Are you sure you can't simplify the problem spec a little? If you will
just specify good hard hosts for your web servers --- hosts running a
well-supported OS, kept up to date with the latest security patches, with all
services disabled except only the ones you've named, and running good modern
well-supported patched-up daemons for those services, why then you don't need
any protection at all, and you can meet and exceed standards for a good secure
setup by sticking a router up front with screening rules that allow only the
traffic you indicated to pass through.
You can configure a couple of Cisco routers that can handle full T3s, in an
HSRP pair, and call the job done.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
