-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 23 Mar 1999 [EMAIL PROTECTED] wrote:
> I've been having trouble finding reliable information about scalable,
> high-availability firewalls and was hoping some people here may be able
> to give me some direction.
>
> First, some base requirements:
>
> - The firewall will be protecting an externally hosted web service we're
> developing. High security and high reliability are essential.
good
> - The traffic passing through the firewall will be 95% inbound SSL3
> encrypted web traffic. The remainder would be outbound DNS queries and
> SMTP traffic, and a small amount of inbound management traffic (VPN or
> SSH).
This sounds as if a standard comercial firewall is a bad fit for you. (at
least if you need security, not a marketing name).
Going over your traffic requirements
SSL not much you can do other then to allow it. This is packet filtering
stuff.
DNS/SMTP. These sevices by default allow you to relay them through a
single box. Again you do not need special firewall software. (and
depending on the volume this does not need to go through your main
"firewall" either
Inbound management (VPN/SSH) Unless this is part of the firewall again you
just need packet filtering to prevent everything else.
> - The system must be able to accommodate T3 levels of traffic (45Mbps).
easy enough to do with a packet filter
> - The system must have redundancy/failover capabilities.
many options to use here
> - The system should provide good logging & auditing capabilities.
what are you attempting to log?
DNS and MAIL will provide their own logging
your VPN should as well
for your SSL traffic, all you can log at the firewall is the volume of
traffic, and what IP it is from. other then watching for bandwidth
saturation you can get better data from you web server logs
The one other thing you could log is packets that you deny. My question to
you is how much time are you going to have to analyze these logs?
>
> Before the bandwidth requirements had come into play, we had narrowed down
> the choices to Gauntlet or Firewall-1 running on 2 Sun 250 servers. There
> is some concern, however, as to whether this would be able to handle the
> bandwidth requirements.
>
> The alternatives are looking at other firewall solutions that have higher
> (perceived) performance such as PIX or ANS, or possibly using a load
> balancing system in front of the firewalls. One vendor has also suggested
> using a Sun cluster solution.
>
> I'm a little leary of all of these options since I'm not as knowledgeable
> about the other firewall products and the other options increase the
> complexity of the system. I was also hoping to be able to standardize on
> one firewall product, since we'll also need a firewall (supporting much
> more more general purpose traffic) in front of our business network.
>
> Has anyone had experience running a similar configuration that can give
> some pointers as to what the best options are? Or are there better
> options that we're overlooking?
>
I have a site that does primarily SSL traffic as well (although lower
volume), and what we have is Cisco router with VERY tight filters (tight
enough that they are not much load on the router. how much load can it be
to say allow port 80 to this subnet, allow 443 to this subnet, allow DNS
and SMTP to these two hosts, deny everything else :-) with the web servers
behind that. We decided to have a seperate network to allow the management
traffic to get to the servers with it's own specialized firewall
I don't have any particular suggestions for brands, but I would suggest
that you look at plain packet filters, and think twice before paying any
attention to the firewall vender hype. most of it does not fit and you
will spend more time trying to make it fit then to learn two different
products (one for the web servers and one for your normal network)
David Lang
> Thanks very much in advance.
>
> Scott Miles
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNvgdkz7msCGEppcbAQGVGwf/W7a4Fk4x1N6+e8hJq4qZEqhbWH404Jf5
cbsO7+T7Wwo0zILrRUJo0g+1jCSR6/lZ1pouXlk5XS8FeZ36Ix6xcTSDtK1ZFaLS
y2iYMxGjf4dSJNRLRPTgNLifmybkSSZgfRT5PVtePxy5arKWHj01hCrcFyhoUPGm
N1fg0HG53d1B0HbquH2bz9UjMsn+YRsgbpadCtotwN/OCPgos9sodRSYEbys0Y0l
yM5XFsV7VgjB6xklWSAOVxMpJN45S/g+YW69B9sIYcmfvaot0xXsQUHnt/k++BO6
S+Z+CX290UgqWC2m/pk02tLkS94UUFUYI1c2zn+SBIt8fI4T1NrCBg==
=OpAI
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
