RE: Packet Filters - best performers

Tue, 25 Jul 2000 14:08:40 -0700 


>>Ondrej Grich 07/25/00 7:40 GMT<<

Thanks Chris for your answer. 

Chris Brenton wrote:

>> Situation: High volume internet site. DMZ will host WWW servers,
webhosting
>> servers, SMTP servers, DNS servers. The DMZ has to be hidden by PACKET
>> FILTER. No NAT or proxy functionality is needed (the reason is
performance
>> issue). My question is what are the best perfomers on PACKET FILTER
MARKETS?
>Couple of questions:
>1) Are the hosts hardened?
>2) Patched?
>3) Will someone be religiously maintaining the patches?
>4) Are you sure?
>5) Are you _really_ sure? ;)

1) As much as we can (as we understand them) = not enough :)
2) yes
3) hopefully yes
4) well ehm..
5) no
 
>
>I ask the above as it will play a big part in determining which
>technology you use. If the hosts will be watched closely, you can
>probably get away with static packet filters (say on a Cisco router). If
>you are not 100% certain the hosts will be maintained, go with a
>stateful filter. Your best bet in this arena is probably a Nokia box
>running FW-1. Its the fastest stateful filter I've seen.

Ok i'll check Nokia out.

<cut> 

> Yup, hardened hosts with static filters. Network based IDS to 
> watch over
> the chicken coop. ;)

OK. I got it.
Qs: Are there NDIS out there which can handle volume of traffic its expected
to go in/out of DMZ? What about switched enviroment in DMZ (traffic between
hosts in dmz will not be seen by NDIS host)? Do you think it is enough to
monitor (by NDIS) tarffic comming in/out DMZ, not traffic between hosts in
DMZ? How this monitoring will be done? BY copying all traffic which comes
through port in switch, where packet filter is connected i guess. 
Has someone successfully deployed such infrastructure (switched enviroment,
Network NDIS on full duplex 100Mbit)? if yes what HW were used? 

welcome comments, answers especially :)

Cheers

Ondrej Grich

> HTH,
> Chris
> -- 
> **************************************
> [EMAIL PROTECTED] 
> 
> * Mastering Cisco Routers
> http://www.amazon.com/exec/obidos/ASIN/078212643X/ 
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/ 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to