Re: High Performance Firewall solution?

[Bennett Todd <bet () rahul net>]

1998-02-03-02:59:34 Aaron D. Turner:
> My company is looking for a high performance firewall solution for
> our web servers (everything is over port 80). By high performance it
> needs to be able to deal with 1,900Kbit/sec incoming and 9,000Kbit/sec
> outgoing (sustained) and be able to scale effectively (we're growing
> at about 5-10%/month).

Piece o' cake. Take whatever seriously muscular router tickles your
fancy --- say a pair of Cisco 7513s running a load-balancing dual-HSRP
config:-). Tell it to block everything except port 80. Or perhaps your
WSD will do this for you. Next, audit those web servers behind so they
do _not_ have bugs in their CGIs (which in general no firewall is going
to help with).

> This from what I hear isn't very feaseable- the reqirements to the the
> necessary filtering, authentication, etc would overload even a sizeable
> server.

There's no filtering to be done; that HTTP traffic needs to get to the
servers to be serviced, and they need to be configured so they can't be
shot down via clever abuse in-band. And let them handle the
authentication; they need to anyway, as they are what the HTTP customers
are needing to authenticate _to_.

> But then I need to figure out a way to allow certain users (Sparc Solaris,
> Intel Linux, Win95/NT) from the internet to be authenticated into the
> protected network so they can access the machines securely (encrypted
> connections) from remote locations (SecureID, RSA Keys/ssh, or the like)-
> hence the need for the firewall.

If you're going to run ssh in --- which is what I'd use --- just open
up port 22 along with port 80. Ssh can defend itself; it doesn't need
a firewall, a screening router will continue to suffice. I do all my
remote admin of web servers via ssh. Ssh runs beautifully from Sparc
Solaris and Intel Linux. You can get it for Win95/NT as well (from
Data Fellows), but if you're going to allow a totally unsecured and
insecurable internet-connected machine to bore into your servers, why
not just use telnet in and hang a sign on the door saying ``Welcome''?
When you let outside machines tunnel in, to do remote admin or content
update or whatever, the security of your whole system is no stronger
than the security of those remote machines.

> Preferably this would be done via a VPN soution, because just about
> everything needs to be supported- TCP, UDP, ICMP)

This I don't understand --- why would you need to support ``just about
everything''? Are these supposed to be general-purpose compute servers
for arbitrary protocols or something? That would be a Bad Idea.

-Bennett