This seems a bit bizarre to me. I understand that a University will need some good bandwidth in order to support its needs, however, it is not good policy to firewall on a router supporting bandwidth of this magnitude. Such a router would generally be categorised as a CORE router. These are generally meant to be used purely for forwarding data. QoS, firewalling, and bandwidth management shouldn't be applied here but moved to the distribution or access layers of the network.
I would recommend looking at the network architecture and seeing where connections to different departments are serviced. It is then possible to segregate these areas with other routers which will be serviced by the same 1Gb link. You can then firewall the departmental routers running on 100Mbs links according to their policies. This also leaves scope for the implementation of different policies according to the differing needs of each department or area within the University. Instead of purchasing multiple routers you could achieve the same effect with a layer 3 (or above) switch and implement PVLANs/VLANs with 1st tier firewalling being implemented via a routing blade and secondary firewalling being implemented off a VLAN port to a PIX or something similar. Obviously these are just suggestions but I would look at moving the firewalling away from the high bandwidth link and allowing scaleable policy implementation according to differing needs. Believe me, within a University there will be squabbles over any policy. Why not allow for a multiple policy implementation on a departmental basis? I hope this helps. Cheers, Mark Searle. -----Original Message----- From: John Morris [mailto:[EMAIL PROTECTED]] Sent: 05 January 2002 02:42 To: security-basics Subject: Firewall on 1gb connection What are the current options for firewalls that can handle 1gb throughput ? I've got a client that has a 1gb internet connection, (a major Univ), and they want to firewall it, but haven't because they haven't found anything that wouldn't impact the performance too much. I've seen firewalls that advertise ~622mbps, but none that claim anything higher, but perhaps I'm wrong. Or could you use a really hefty OpenBSD box with two gigabit fiber cards ? - John Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.
