Firewall Wizards mailing list archives
Re: Next Generation Security Architecture
From: Brian Ford <brford () cisco com>
Date: Tue, 27 Feb 2001 11:49:52 -0500
At 11:32 PM 2/27/2001 +0800, Ng Pheng Siong wrote:
On Mon, Feb 26, 2001 at 05:50:17PM -0500, Brian Ford wrote: > >It's a dead product. Cisco now peddles Arrowpoint. ;-) > > Buzzzz. Sorry. Wrong answer. Ahh, ok. I was just repeating the impression I got from local Cisco and resellers. ;-) In competition against Alteon, Foundry, etc., for load balancing Internet servers over T1/E1's, which - Local Director or Arrowpoint - do you recommend?
I usually recommend Cisco. ;-)It's all about throughput. LD has never had any problems with T-1 loads. But it comes with Ethernet interfaces only (10/100).
In the brave new world where a SP data center is connected via GigE fiber to a multi MBPS drop to hundreds or thousands of residential IP over cable customers you need a bigger, bad-er (that's good) load balancer a la the CSS11000 series.
> Wouldn't the addition remove some of the load from the server. I know it > does from mine. I use the Cut-through proxy in the PIX to authenticate > users looking at my server (on the Cisco intranet). Do you mean your PIX assumes the authentication load, then?
Yes. PIX talks to a Cisco ACS (Access Control Server; mine is on NT 4 workstation) via Radius or TACACS+ (I'm a TAC person). ACS has implemented the SecureID API and has support for a couple of other authentication engines. Or you could use straight Radius (commercial or Merit) or TACACS (freeware). The point is that this is all hidden from the content server.
I have a question about the cut-thru proxy, if you don't mind: I'm told by a local Cisco consultant that the cut-thru proxy has the magical property of demanding proxy authentication from your browser even if the browser is told it has "direct connection to the Internet." I'd imagine the browser will be confused to encounter a proxy authentication challenge in such a case?
It's a proxy that is "transparent" to the browser as the PIX is in the forwarding path. To the client browser it's just content.
Using PIX cut-through proxy requires no configuration of the client browser.
TIA. Cheers.
Best Regards, Brian
-- Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture, (continued)
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture John Adams (Feb 27)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)