Re: [RE: [High Speed Firewalls]]

[James Vaughn <j.vaughn () usa net>]

Greetings,

The following is a perfect example of why I tried to send mail directly to Mr.
Baez, and mentioned saving bandwidth on the mailing list...  But since that
failed...

"Woeltje, Donald" <dwoeltje () sebh org> wrote:
> You're kidding, right? Neither a router (Cisco or any other) nor BigIP 

Everyone has to have their $00.02 worth of opinion, and that's fine --
experience with particular products, "proof of whatever you want" testing;
experts, as it were, who are "just trying to help" in their own, delightful
way.  I was expressing mine, just as you are.

No, I'm not kidding.  Mr. Baez didn't state the specific reasons he needs this
solution, except to mention large file transfers "across the world," and that
he answers to management.  As stated, I suggested the two solutions with which
I've worked, that produced the desired results in good fashion -- and made
note that others exist.

BigIP an over-priced router with load-balancing?  Depends -- what's Mr. Baez'
(or mine, or anyone's) definition of price?  Cost?  Is it more valuable for
his company to purchased a boxed solution such as provided by F5 or Cisco --
solutions that work, are industry proven, and are "recognized as experts"?  Or
more equitable for him to research, learn, spend time, & set-up his own
test-bed until he can graphically illustrate to his superiors which products
actually /will/ work best, in his environment, on their network, for their
needs, within his budget, etc...  He's sending large files -- via...  FTP? 
Across network shares?  HTTP-downloadable?  Through email?  If it's a
web-based environment, with a large user group, BigIP is a reasonable
solution.  Otherwise, not.

Thanks to you (and others) he now has a wealth of options to research at his
leisure.  Layer-4 switching?  A good technology, definitely helps increase
data traffic flow IF the rest of the networking infrastructure is optimized,
too -- otherwise it's a waste.  And pricey.  Cisco's supported Layer-4
switching for some time, but they haven't yet broadcast it to market until
they're convinced & have perfected it to a 'rock-solid' state (something I
greatly respect about Cisco.)  And it seems that Layer-4 switches are starting
to come with so many other bells, whistles, & crap that the inherent
advantages are degraded.  Built-in firewall?  I would hope so, given the
visible nature of traffic on Layer 4...  Better, though, if filtering &
security were left to another device.  If he (or anyone) is to consider a
fast-switched solution, I'm sure you'll agree that they should research it &
make sure the rest of their network isn't going to bottleneck the
advantages...

Still, it's a hardware-based solution -- which was my point.  If he wants
efficiency and speed in routing traffic, then a switch-based solution may help
him out.  If he wants the same in /filtering/ traffic (he did mention
'firewall'), then it's not the best solution.  If he wants /both/?  Probably
(mixed-bag of opinions, here) would be best to get separate solutions for each
-- a high-speed core [switch] managing a fast-E, switch-based network,
residing behind a high-end router/firewall solution.  Unless his has a
world-wide LAN (i.e., if his 'campus' is point-to-point across the world) then
he won't have to worry -- but since that doesn't seem to be the case, he will
/have/ to have some kind of routing equipment -- better that it be equipment
specifically designed for that purpose.

And this all assumes, of course, that his is a large, established company with
plenty of funding, time, and manpower.  If his is a small CAD-design shop with
some remote contractors, then the entire discussion is moot...  *grin*

Anyway...  There is no "perfect" solution-in-a-box.  My goal was to simply to
recommend -- for further research, not blind acceptance -- solutions that I've
used in the past, and have worked, based on the vague needs he mentioned.

Later,

- James D Vaughn





"Woeltje, Donald" <dwoeltje () sebh org> wrote:
> You're kidding, right? Neither a router (Cisco or any other) nor BigIP 
5 can
> perform as well (all out high-speed performance) as a switched solution,
> utilizing a Layer 4 switch,  that has built-in firewalling capabilities.
> I've done "proof of concept" laboratory testing of these types of
solutions.
> BigIP is nothing more than an over-priced router with load balancing
> capabilities, much like a Cisco router with Cisco's Load Director on it.
>
> If he really just wants the ultimate in performance, I would suggest that
he
> check out Alteon WebSystems ACESwitch 180 with their ACElerate software
(and
> all the other Layer 4 switches on the market) to see if that will
accomplish
> what he wants. However, if he wants a "firewall", then he should get a
> recognized firewall product from one of the companies that are recognized
as
> experts in the IT security industry.
>
> > -----Original Message-----
> > From:       James Vaughn [SMTP:j.vaughn () usa net]
> > Sent:       Wednesday, March 01, 2000 1:58 PM
> > To: firewall-wizards () nfr net
> > Subject:    Re: [High Speed Firewalls]
> >
> >
> >
> > Hi,
> >
> > I'd recommend checking into a hardware-based firewall solution, rather 
> > than a software firewall.  Hardware solutions are specifically designed 
> > for the volume of traffic about which you're speaking.  Check www.f5.com
> > for
> > their BigIP product (which is an internet-centric load-balancing, FW/etc.
> > machine -- i.e., more than just a firewall; depends on why you need this)
> > or
> > www.cisco.com and look into their PIX solutions.
> >
> > There are others out there, too -- but these are the ones with which I'm
> > familiar and trust.
> >
> > BTW -- Tried to send you an email directly (to save bandwidth on the nfr
> > list)
> > but the email was rejected:
> >
> > <hbaez () eos hitc com>:
> > Connected to 38.177.222.21 but sender was rejected.
> > Remote host said: 550 Access denied
> >
> > Probably a spam filter.  ;^)
> >
> > - James D Vaughn
> >
> >
> > Henry Baez <hbaez () eos hitc com> wrote:
> > > I am doing research on very high speed firewalls.  I mean firewalls
that
> > > are right now available that could handle OC3 and higher speeds via Gig
> > > Byte Etherenet cards.  In searching the recent posting of this list and
> > > a lot of general web searching, I have found only one firewall that
> > > claims they can do so.  It is call POTUS from a company called
Livermore
> > > Software Laboratories.  I would very much like to find at lease another
> > > vendor which at lease matches the claim of PORTUS, 300 MB plus through
> > > put.  Management, bless them, likes to have choices, I would like to
> > > present more then one vendor if possiable.
> > >
> > > I have experiences with two commercial firewalls, Checkpoint and
> > > Gauntlet, and one freeware firewall, Ipfilter.  But the links where way
> > > under 10 Meg Byte.  None of the firewalls I have work on 'claim' the
> > > speeds I am looking for.  All the magazines 'test/reviews' I have
looked
> > > at top out at about 150 Meg. Byte.  The number of users for this
project
> > > would not be large, but each one would be moving Gig Byte size files
> > > across the world.
> > >
> > >
> > > Thanks,
> > >
> > > Henry Baez
> > > hbaez () eos hitc com
> >
> > > --------------------------------------------- 
> > >   Attachment: hbaez.vcf 
> > >   MIME Type: text/x-vcard 
> > > --------------------------------------------- 
> >
> > ____________________________________________________________________
> > Get free email and a permanent address at http://www.netaddress.com/?N=1


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1