2000-02-28-14:14:34 Kevin Johnston:
> More information on gigabit firewall request:
>
> I am implementing a gigabit backbone with servers using gigabit NICs,
> transmitting 100-1000MB files at will over the network to/from
> workstations & servers. I need the bandwidth for such high volume.
Harden the servers, then don't bother trying to protect them with
an elaborate firewall; just provide trivial screening in the border
router.
This distributes the burden of hard part of the firewall's job over
the hosts, where it's easy to scale by adding more boxes.
Disable all services except those you specifically need, and use
packet filtering on the servers to implement whatever restrictions
you want on who can get at them. Just do enough filtering at the
router to keep people from playing silly games with forged
addresses.
You do have a big advantage, though, if you should for some reason
insist on doing more elaborate filtering in the "firewall"; it's a
heck of a lot easier to filter a Gbps worth of 100-1000MB file xfers
than a Gbps worth of 10KB http xfers and smtp dialogs and such like
niggling stuff.
You may be able to pump the bandwidth-handling ability of a
filtering router way up past where most people would expect if you
can surround it with network technologies using larger MTUs, as
another little tweak; most routers are more likely to hit the wall
in packets/second than in bits/second, so using bigger packets
scales their bandwidth up. Of course this hack would leave you
having to deploy additional boxes doing fragmentation and reassembly
if you can't sustain the large MTU all the way to the customers of
the data, but if you can push that job down into smaller-speed choke
points you can still win.
-Bennett
PGP signature
