Firewall Wizards mailing list archives
High Performance Firewall solution?
From: "Aaron D. Turner" <aturner () vicinity com>
Date: Mon, 2 Feb 1998 18:59:34 -0800 (PST)
My company is looking for a high performance firewall solution for our web servers (everything is over port 80). By high performance it needs to be able to deal with 1,900Kbit/sec incomming and 9,000Kbit/sec outgoing (sustained) and be able to scale effectively (we're growing at about 5-10%/month). This from what I hear isn't very feaseable- the reqirements to the the necessary filtering, authentication, etc would overload even a sizeable server. Obviously we don't want to spend 70K for an fully loaded Sun E450 to run our firewall either! So currently we're looking at what I'll dub a "side firewall configuration". Bascially the network looks like this: | | |--RND WSD Fe/Pro--|--Web Server Farm Internet -----| | running Solaris (100Mbps) | | |--Firewall--------| | | | | Public VLAN Private VLAN (192.168.xxx.xxx) For those of you not familar with the WSD, it's a load distributing unit simular to Cisco's Local Director, but also very different. At the core of the WSD is a router/switch- it routes the first packet and acts as a switch for the rest, hence it is able to get high throughput rates. Increased performance can be acheieved by running multiple WSD's in parallel (unlike the LD). Hence the single VIP (virtual IP address) on the internet is routed/switched to the web server farm. (Many machines have 1 IP address on the internet) Since the WSD munges the IP header info as it comes in and goes out, the servers can be on a private network which normally wouldn't be accessable/routeable across the internet. This configuration also requires that the WSD be the default route for the web servers (unlike the LD). The WSD also allows ACL's, and with a simple ACL there is little performace hit. Basically the WSD's would: allow from any to web server port TCP 80 allow from any to web server established connections ??? depends on the firewall I guess deny everything else But then I need to figure out a way to allow certain users (Sparc Solaris, Intel Linux, Win95/NT) from the internet to be authenticated into the protected network so they can access the machines securely (encrypted connections) from remote locations (SecureID, RSA Keys/ssh, or the like)- hence the need for the firewall. Preferably this would be done via a VPN soution, because just about everything needs to be supported- TCP, UDP, ICMP) Mangement has stated they want the firewall to run on Sparc/Solaris to keep management costs down. It needs to be as transparent as posible, ease of use is a key factor. (Remote) Manageability as well since this configuration will be duplicated at mulitple datacenters. Anyones experiance or thoughts are welcome (Am I even on the right track? I'm not even sure if this is possible!) Distributors\developers of firewall products are also encouraged to respond but probably should do so directly to me and not to the list. Thanks! ------ Aaron Turner, CNE | Email: aturner () vicinity com Network Engineer | Voice: 650.237.0311 x252 Vicinity Corp. http://www.vicinity.com | Fax: 650.237.0305 Email-to-alpha-page: 4155721411.1146752 () pagenet net [Subject & Body sent]
Current thread:
- High Performance Firewall solution? Aaron D. Turner (Feb 02)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)
- Re: High Performance Firewall solution? Aaron D. Turner (Feb 03)
- <Possible follow-ups>
- RE: High Performance Firewall solution? Stout, William (Feb 09)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 09)
- Reactive Firewalls Aleph One (Feb 09)
- Re: Reactive Firewalls Rick Smith (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 10)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 14)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)