Firewall Wizards mailing list archives
RE: High Performance/ High Availability Firewalls
From: "Burden, James" <JBurden () caiso com>
Date: Fri, 30 Oct 1998 17:33:45 -0800
Zirpini, I only know of one vendor currently putting out line rate OC-3 (OC-12) firewall. There are a few that support an ATM interface to their firewall, but with through-put of 60-90Mb and this does not include encryption. Anyway, StorageTek at http://www.storagetek.com/StorageTek/network/NetSentry/ATLAS/ has a blackbox solution which loads its policy into the firmware and is thus a layer 1.5 device. The firewall is basically a bump in the wire (IP less) and investigates the first cell. This cell includes the first 32 bytes of an IP packet. Anything in the second 32 bytes of the IP header will not be seen such as IP options. The first cell is the only one that is examined, as the rest of the cells of the packet will be allowed through or dropped based on the policy. Load balancing would be the same as the network as the firewall does not participate in the routing process. It does not pass Stateful information like FW-1 for redundancy, however it will do no worse than a router in the same place (I have not played with this aspect yet).
From the tests that I have seen and participated in I have been impressed,
although I have not tried the encryption half of the test as of yet. StorageTek claims with 2500 rules and encryption you will only see a 4% degradation of service. The problem is that this firewall only has 2 NIC's for firewalling purposes (1 for management only) as this device does not have an address. So, a new design would have to be required to use this for connecting the Internet to your intranet, extranet and DMZ. Just FYI, I only know of Cylink, Secant, StorageTek to provide VPNs for line rate OC-3. High Performance is a serious issue with all security devices (e.g., IDS, VPN, firewall). I joking asked a colleague if you could take a multiprocessor machine and break a wire (OC-3, Giga-bit Ethernet) into a frequency for each processor. Perhaps some vendor will try it... Anyway, I hope this helps. I would like to know if there are any others or feedback on above. Happy Hunting, Jim James L. Burden Phone - 916.351.2243 Security Engineer Page - 916.814.2563 California ISO Fax - 916.351.2181 http://www.caiso.com Email - jburden () caiso com 41DF 0E4C 26E0 2FD3 8C81 A260 5C40 280E B4AE 7420 ____________________________________________ To Teach is to Learn - Aaron Nimzovich ____________________________________________ -----Original Message----- From: Uwe Zirpner [mailto:Uwe.Zirpner () rsw sni de] Sent: Monday, October 26, 1998 10:20 AM To: firewall-wizards () nfr net Subject: Q:High Performance/ High Availability Firewalls Hey folks, I'm searching for more information about High Performance Firewalls e.g. in an ATM network environment or setting up an expandable load balancing firewall ( e.g. parallel firewall ). I just read two interesting papers of Uwe Ellermann & CO.( DFN ) about this topic, but does anybody has had already some experience in implementing such a firewall. Which system requirements should the firewall hardware have to handle the ATM Traffic througput ( e.g RAM, Processors ) The site has roughly 2000 Users, mainly classic WWW/FTP/MAIL traffic. The firewall should have minimum 4 network cards. - Internet, Internal net, dmz, extranet As far as High Availability is concerned, I would like to combine the "Load Balancing topic" with this topic. Is this possible ? Any recommendations, NOT TO DO For High Availability I only know StoneBeat for Firewall 1. Are there any other products or concepts for other "Well Known Firewall Products" out there ?? TIA Zirpini
Current thread:
- RE: High Performance/ High Availability Firewalls Burden, James (Nov 02)