Firewall Wizards mailing list archives

Re: Speeds and feeds

From: "Bruce B. Platt" <Bruce.Platt () comport com>
Date: Fri, 29 May 1998 16:06:48 -0400

At 02:06 PM 5/26/98 -0400, Stout, Bill wrote:

After thinking about this for a few minutes, and reading the previous responses:

I thought Thomas H. Ptacek's suggestion to look at the actual data on line
use was right on the money.

I'd want to see that they are actually saturating their T1.  

Alpha's are great fw machines, especially running the AltaVista Product, and
I've never seen any of our customer's get saturated, but I wouldn't just
throw HW at it.

The IP adress depletion is simplest to fix by giving them a FW that will let
them use RFC 1597/1918 addresses behind it.  In today's address space, it's
hard for most organizations to deplete the 10 network!  Your comment about
their internal machines being hit by external packets would be troubling to me.

Regards,

Bruce





->
->I'm working with a company currently using a T1 which becomes very
->sluggish when engineers do many FTP and HTTP sessions through a state
->firewall on a Netra-1 (firewall is not a bottleneck).  They're thinking
->of upgrading to a T3 with a fast proxy server (+ VPN) since they also
->are running out of IPs, and internal systems are getting hit by external
->packets.
->
->My knee-jerk reaction is to use a very fast CPU system (600MHz Alpha)
->and Altavista FW with 100Mbps cards.
->                                             webservers
->                         |
->  Internet--(T3)---R1---FW---+----R2----Internal LAN
->                            VPN
->                         Tunnel Svr
->
->I'm wondering about alternatives to the situation, one is multiple T1s
->coming into a set of BGP net for redundancy, and to partition FTP/HTTP
->proxies on one server, and remaining traffic on a second server
->(allowing future cluster or fail-over via scripts and IP failover of
->secondaries).  Although this actually may be cheaper, faster and more
->reliable, but it's more complex, and harder for the company to fix if it
->dies (fails into a degraded mode).  Also most local traffic may route
->through a single T1, and they may inadvertantly become an Internet
->eXchange.
->
->    Internet
->    | | | 
->   (n+1 T1s)
->    | | | 
->  Cisco 2500s
->    | | | 
->  Hub/switch
->    |    |
-> FW-A   FW-B
->
->FW-A could be used for outbound client system access, and FW-B could be
->used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
->etc).  A dual-subnet webfarm could connect to third interface on both.
->Hmm, too complex maybe.
->
->Opinions?
->
->Bill Stout
->
->
->
+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street
Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp () comport com, bruce@ bruce.platt@

Current thread:

Speeds and feeds Stout, Bill (May 28)
- Re: Speeds and feeds Bennett Todd (May 29)
  - Re: Speeds and feeds Kelly Lucas (May 30)
- <Possible follow-ups>
- RE: Speeds and feeds Moser, Stefan (May 29)
- Re: Speeds and feeds tqbf (May 29)
- Re: Speeds and feeds Ryan Russell (May 30)
- Re: Speeds and feeds Eric Holst (May 30)
- Re: Speeds and feeds Bruce B. Platt (May 30)
- Re: Speeds and feeds Rodney van den Oever (May 30)
- Re: Speeds and feeds Drexx Depuno (May 30)