Firewall Wizards mailing list archives

Re: 10Gb Firewalls

From: "Darden, Patrick S." <darden () armc org>
Date: Tue, 29 Apr 2008 12:41:59 -0400


Cisco Catalyst 6500 with two FWSM's should do it for you, with two more FWSM's it can handle 20Gbps (supposedly).  
Product overview:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/prod_bulletin0900aecd80630a8e_ps2706_Products_Bulletin.html

"The FWSM for Cisco Catalyst® 6500 Series Switches and Cisco 7600 Series Routers is a high-performance, integrated 
stateful inspection firewall with application and protocol inspection engines, providing 5.5 Gbps of throughput; 
100,000 connections per second; and one million concurrent connections."

Ask your vendor for a demo unit to test with to see if it meets your needs.  I've got three of them (cat 6500s), and 
love them dearly, but I have done no throughput tests.

--Patrick Darden


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
Kerry Milestone
Sent: Tuesday, April 29, 2008 4:36 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] 10Gb Firewalls


Hello kind Wizards,

I am investigating the possibilities of putting a firewall on the end of 
a 10Gb link.  I'd like to be able to inspect at 10Gb wirespeed.  As this 
is a scoping project (though it _has_ to happen due to the nature of 
projects in the institute), cost is not the main issue.  I've come 
across the Nortel Switched Firewall 6000, however this 'only' does 6Gb 
throughput.

Alternatively, we have several firewalls which work at 1Gb and are 
wondering if its a better to chanelize [sic] and put say 10 firewalls 
each dealing with different traffic.  In coming years, IP based VPN's to 
other sites will become more used - and more 10Gb links to site perhaps 
building up to a 40Gb WAN backbone.  We currently have an IDS which will 
can handle this much volume.

The next question, is extending the SAN.  If using iSCSI, is it better 
to leave this traffic off the firewall and just route it through, say a 
GRE tunnel without encryption?

Would be keen to hear any thoughts on the theory of what I want to do. 
Implementation is not so difficult, really after some 'best practices' 
thoughts.


Many thanks,
Kerry.




-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPSEC VPN: Sidewinder >-< Nortel compatible? Bill Stout (Apr 21)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Chris Myers (Apr 22)
  - Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Snyder, Guy (Apr 24)
- <Possible follow-ups>
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Bill Stout (Apr 22)
  - Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Chris Myers (Apr 24)
    - 10Gb Firewalls Kerry Milestone (Apr 29)
    - Re: 10Gb Firewalls Darden, Patrick S. (Apr 29)
    - Re: 10Gb Firewalls Francois Yang (Apr 29)
    - Re: 10Gb Firewalls Ledwidge, Feargal (Apr 29)
    - Re: 10Gb Firewalls Jens Brey (Apr 29)
    - Re: 10Gb Firewalls Fetch, Brandon (Apr 29)
    - Re: 10Gb Firewalls Mathew Want (Apr 30)
    - Re: 10Gb Firewalls Dominic Fells (Apr 30)
    - Message not available
    - Re: 10Gb Firewalls Kerry Milestone (Apr 30)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Bill Stout (Apr 24)