Firewall Wizards mailing list archives

RE: High-Availability FW/VPN for Data Centers

From: "Joe Ippolito" <joe () joesnet com>
Date: Tue, 13 Mar 2001 21:55:27 -0800

What about global management?  I need a common database for my internal
networks, DMZs and encryption domains.  80-sites is too much to manage on
100 (~40x2 for HA +20) or more individual devices.  I must use something
like Provider-1 or Cisco Secure Policy Manager.  Does NetScreen have
anything comparable?  The support costs are a very significant part of a
fully-meshed VPN-based WAN of this magnitude.

Thank you for your input.

-----Original Message-----
From: Shane Amante [mailto:shane () amante org]
Sent: Tuesday, March 13, 2001 4:19 PM
To: Joe Ippolito
Subject: Re: [fw-wiz] High-Availability FW/VPN for Data Centers


NetScreen 100
-or-
NetScreen 1000 (very pricey)

-shane


On Mon, Mar 12, 2001 at 07:28:57AM -0800, Joe Ippolito wrote:

We have successfully deployed a primarily VPN-based WAN connecting

59-sites

in a very large manufacturing company.  The push now is to move
line-of-business applications to three data centers, one in the US, one in
Europe and one in Asia.  The data centers will have multiple T3/E3

circuits

to two major providers.  We wish to change the FW/VPN platform that we
currently use due an occasional NDIS buffer overflow problem that requires

re-boot.  Hardware for almost all of our firewalls is aging and is due for
refresh.

Some of the requirements are:

Secure Internet firewalls.
High availability - a single hardware failure cannot cause a loss of
connectivity.
High throughput - up to 90 Mbits/sec of IPSec 3DES encryption.
Global management - A single database of network definitions, rulebases,

etc

for over 100 firewalls/VPN devices.

Desirable:

Quality of service so that the transfer of very large CAD files to/from

data

centers cannot easily slow down time-sensitive ERP interactive sessions.

Products currently being considered:

Firewall-1/VPN-1 CP HA on Linux and Provider-10
Nokia Fw1/VPN1, VRRP and Provider-10
Cisco Pix and CSPM
MS ISA, Win 2K L2TP/IPSec, NLB, MMC

I do not give the fourth option much chance due to low a level of

experience

but, pricing makes it an alternative that I would like to keep in the
analysis for reference.

I would like to get your opinions on the options I have described above

for

my initial presentation to my management.

Thank you in advance for your valued input.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

High-Availability FW/VPN for Data Centers Joe Ippolito (Mar 13)
- <Possible follow-ups>
- RE: High-Availability FW/VPN for Data Centers Joe Ippolito (Mar 14)
  - Re: High-Availability FW/VPN for Data Centers Shane Amante (Mar 14)