Firewall Wizards mailing list archives
Re: High Performance Firewall solution?
From: Bennett Todd <bet () rahul net>
Date: Tue, 3 Feb 1998 04:13:59 -0800
1998-02-03-02:59:34 Aaron D. Turner:
My company is looking for a high performance firewall solution for our web servers (everything is over port 80). By high performance it needs to be able to deal with 1,900Kbit/sec incoming and 9,000Kbit/sec outgoing (sustained) and be able to scale effectively (we're growing at about 5-10%/month).
Piece o' cake. Take whatever seriously muscular router tickles your fancy --- say a pair of Cisco 7513s running a load-balancing dual-HSRP config:-). Tell it to block everything except port 80. Or perhaps your WSD will do this for you. Next, audit those web servers behind so they do _not_ have bugs in their CGIs (which in general no firewall is going to help with).
This from what I hear isn't very feaseable- the reqirements to the the necessary filtering, authentication, etc would overload even a sizeable server.
There's no filtering to be done; that HTTP traffic needs to get to the servers to be serviced, and they need to be configured so they can't be shot down via clever abuse in-band. And let them handle the authentication; they need to anyway, as they are what the HTTP customers are needing to authenticate _to_.
But then I need to figure out a way to allow certain users (Sparc Solaris, Intel Linux, Win95/NT) from the internet to be authenticated into the protected network so they can access the machines securely (encrypted connections) from remote locations (SecureID, RSA Keys/ssh, or the like)- hence the need for the firewall.
If you're going to run ssh in --- which is what I'd use --- just open up port 22 along with port 80. Ssh can defend itself; it doesn't need a firewall, a screening router will continue to suffice. I do all my remote admin of web servers via ssh. Ssh runs beautifully from Sparc Solaris and Intel Linux. You can get it for Win95/NT as well (from Data Fellows), but if you're going to allow a totally unsecured and insecurable internet-connected machine to bore into your servers, why not just use telnet in and hang a sign on the door saying ``Welcome''? When you let outside machines tunnel in, to do remote admin or content update or whatever, the security of your whole system is no stronger than the security of those remote machines.
Preferably this would be done via a VPN soution, because just about everything needs to be supported- TCP, UDP, ICMP)
This I don't understand --- why would you need to support ``just about everything''? Are these supposed to be general-purpose compute servers for arbitrary protocols or something? That would be a Bad Idea. -Bennett
Current thread:
- High Performance Firewall solution? Aaron D. Turner (Feb 02)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)
- Re: High Performance Firewall solution? Aaron D. Turner (Feb 03)
- <Possible follow-ups>
- RE: High Performance Firewall solution? Stout, William (Feb 09)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 09)
- Reactive Firewalls Aleph One (Feb 09)
- Re: Reactive Firewalls Rick Smith (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 10)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 14)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)