RE: High Performance/ High Availability Firewalls

["Burden, James" <JBurden () caiso com>]

Zirpini,

I only know of one vendor currently putting out line rate OC-3 (OC-12)
firewall.  There are a few that support an ATM interface to their firewall,
but with through-put of 60-90Mb and this does not include encryption.  

Anyway, StorageTek at
http://www.storagetek.com/StorageTek/network/NetSentry/ATLAS/ has a blackbox
solution which loads its policy into the firmware and is thus a layer 1.5
device.  The firewall is basically a bump in the wire (IP less) and
investigates the first cell.  This cell includes the first 32 bytes of an IP
packet.  Anything in the second 32 bytes of the IP header will not be seen
such as IP options.  The first cell is the only one that is examined, as the
rest of the cells of the packet will be allowed through or dropped based on
the policy.  Load balancing would be the same as the network as the firewall
does not participate in the routing process.  It does not pass Stateful
information like FW-1 for redundancy, however it will do no worse than a
router in the same place (I have not played with this aspect yet).

> From the tests that I have seen and participated in I have been impressed,
although I have not tried the encryption half of the test as of yet.
StorageTek claims with 2500 rules and encryption you will only see a 4%
degradation of service.  

The problem is that this firewall only has 2 NIC's for firewalling purposes
(1 for management only) as this device does not have an address.  So, a new
design would have to be required to use this for connecting the Internet to
your intranet, extranet and DMZ.  

Just FYI, I only know of Cylink, Secant, StorageTek to provide VPNs for line
rate OC-3.

High Performance is a serious issue with all security devices (e.g., IDS,
VPN, firewall).  I joking asked a colleague if you could take a
multiprocessor machine and break a wire (OC-3, Giga-bit Ethernet) into a
frequency for each processor.  Perhaps some vendor will try it...

Anyway, I hope this helps.  I would like to know if there are any others or
feedback on above.

Happy Hunting,
Jim

James L. Burden         Phone - 916.351.2243
Security Engineer               Page - 916.814.2563
California ISO          Fax - 916.351.2181
http://www.caiso.com    Email - jburden () caiso com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
____________________________________________
   To Teach is to Learn   - Aaron Nimzovich
____________________________________________






-----Original Message-----
From: Uwe Zirpner [mailto:Uwe.Zirpner () rsw sni de]
Sent: Monday, October 26, 1998 10:20 AM
To: firewall-wizards () nfr net
Subject: Q:High Performance/ High Availability Firewalls


Hey folks,
I'm searching for more information about High Performance Firewalls 
e.g. in an ATM network environment or setting up an expandable load
balancing firewall ( e.g. parallel firewall ).

I just read two interesting papers of Uwe Ellermann & CO.( DFN )
about this topic, but does anybody has had already some experience in 
implementing such a firewall.

Which system requirements should the firewall hardware have to handle
the ATM Traffic througput ( e.g RAM, Processors )

The site has roughly 2000 Users, mainly classic WWW/FTP/MAIL traffic.
The firewall should have minimum 4 network cards.
- Internet, Internal net, dmz, extranet

As far as High Availability is concerned,
I would like to combine the "Load Balancing topic" with this topic.
Is this possible ? Any recommendations, NOT TO DO

For High Availability
 I only know StoneBeat for Firewall 1. Are there any other products
or concepts for other "Well Known Firewall Products" out there ??

TIA Zirpini