Steve Leach wrote: > Group, > I am considering options for new Firewall protection for my employer. > > The environment will grow rapidly from 3 Webservers (serving > Database queries) to 100 Webservers within 2 years. > > Hit rate is now 2million/week, and we expect that to hit up to > 80million /week when the operation goes global. > > Firewall would have to sit between (using GTA speak from the > PDF) users on protected network, large server base on the PSN > (public access to the Web Database servers), and Internet > (external network). > > Question: Is Gnatbox (GB100) a capable solution in handling this > kind of load and in what configuration would it need to be > implemented (i.e. Fibre Interface / Gigabit etc) > > Best Regards, > > Steve
First of all, the major issue with load is not the number of hits nor the number of servers, but the pipeline size. If you are paying for a 45Mbps link to the internet, you wou be best served by hardware which can move that much data. You probably won't be doing high-volume VPN (which would load the processor) for this kind of application, the question is can GB filter the volume of data you need it to. 2 million hits/week of small text replies is no big deal. 2 million hits a week of big graphic files is a big deal. The fact that it is a database app is important to your systems BEHIND the firewall, irrelevant to the firewall itself. My recommendation would be to pick your pipe, call GTA's sales department, and ask 'em for a reference customer who is using GNATbox on a similar sized pipe, and talk to a (or several) customer(s) using GB for a similar-sized project. Secondly, I have a few thoughts about your question (I'm prone to doing that, if you don't want my "unasked for" ramblings, quit reading now 8)... (last chance) (you were warned! 8-) I tell my clients to plan on two years of life out of a computer at its current role in their business. Sure, they may get more life by rotating the machines around the office, but at a particular role, I suggest a planned life of two years. For internet connectivity options, I suggest a SIX MONTH life cycle. Now, I'm not saying throw everything out every six months, rather plan on a complete review of options and technology on that time schedule -- and be prepaired to throw things out on that time schedule IF APPROPRIATE. Even ignoring growth, the connectivity options and capabilities change so fast you shouldn't even try to buy further in advance than that. Add to that growth, trying to plan two years out in the future is very difficult and probably pointless. Look at what you are talking about here: a growth factor of 40, over one full generation of computer hardware, and (what I would argue) FOUR generations of Internet connectivity. I would argue this is like trying to plan the layout of your livingroom 25 years from now -- and in your case, this would be before you got married and had kids. I don't think this is wise. Further, are you really planning on that kind of growth in one location? Through one firewall? What if there is a power or Internet outage or other operational disaster at that one site? I would think you might be looking at some load distribution and redundancy would be in order here. My point is this: A GB100 firewall is a small part of your overall costs in a project like this. GB100 would get you up and running today very cost effectively, and I believe it will handle your needs for some time. As you grow, the LEAST of your company's problems will be throwing away a $3000 firewall. It beats the heck out of a $10,000 firewall that you may well ALSO be throwing out, anyway! IF you outgrow the GB, new options will be available from many vendors -- that's the time to evaluate all your options at that time. You will be better off spending $3000 today and another $3000 in a year than spending $10,000 today, and HOPING it lasts two years. Nick. -- http://www.holland-consulting.net/
