Firewall Wizards mailing list archives

Re: Next Generation Security Architecture

From: Brian Ford <brford () cisco com>
Date: Tue, 27 Feb 2001 11:49:52 -0500

At 11:32 PM 2/27/2001 +0800, Ng Pheng Siong wrote:

On Mon, Feb 26, 2001 at 05:50:17PM -0500, Brian Ford wrote:
> >It's a dead product. Cisco now peddles Arrowpoint. ;-)
>
> Buzzzz.  Sorry. Wrong answer.

Ahh, ok. I was just repeating the impression I got from local Cisco
and resellers. ;-)

In competition against Alteon, Foundry, etc., for load balancing Internet
servers over T1/E1's, which - Local Director or Arrowpoint - do you
recommend?


I usually recommend Cisco.  ;-)

It's all about throughput. LD has never had any problems with T-1loads. But it comes with Ethernet interfaces only (10/100).

In the brave new world where a SP data center is connected via GigE fiberto a multi MBPS drop to hundreds or thousands of residential IP over cablecustomers you need a bigger, bad-er (that's good) load balancer a la theCSS11000 series.

> Wouldn't the addition remove some of the load from the server.  I know it
> does from mine.  I use the Cut-through proxy in the PIX to authenticate
> users looking at my server (on the Cisco intranet).

Do you mean your PIX assumes the authentication load, then?

Yes. PIX talks to a Cisco ACS (Access Control Server; mine is on NT 4workstation) via Radius or TACACS+ (I'm a TAC person). ACS has implementedthe SecureID API and has support for a couple of other authenticationengines. Or you could use straight Radius (commercial or Merit) or TACACS(freeware). The point is that this is all hidden from the content server.

I have a question about the cut-thru proxy, if you don't mind: I'm told by
a local Cisco consultant that the cut-thru proxy has the magical property
of demanding proxy authentication from your browser even if the browser is
told it has "direct connection to the Internet." I'd imagine the browser
will be confused to encounter a proxy authentication challenge in such a
case?

It's a proxy that is "transparent" to the browser as the PIX is in theforwarding path. To the client browser it's just content.


Using PIX cut-through proxy requires no configuration of the client browser.


TIA. Cheers.


Best Regards,

Brian

--
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Next Generation Security Architecture, (continued)
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
  - RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture John Adams (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)