RE: High Performance Firewall solution?

["Stout, William" <StoutW () pios com>]

That answer sounded good to me.  Why is a packet filter not appropriate?
 Behind that you can use an IP tunnel server or protocol-specific
encryption, plus strong authentication.  Then an IDS to catch those who
might've gotten through the packet filter.  I like Cisco routers, but
NSC borderguard routers respond to Wheelgroup IDS software (Borderware,
Borderguard) and they also have R-R VPN capability (data 'sleeves').

AFA dial-up/tunnel client performance (ref Windows), poor performance
may be caused by MTU setting of 1500 vs. 576 (which works much better)
and other default Windows settings.  F/R and ATM also impact performance
WRT packet size due to packet assembly/disassembly.

Bill Stout


> ----- Original Message -----
> From: Aaron D. Turner [SMTP:aturner () vicinity com]
> Sent: Tuesday, February 03, 1998, 12:15:00
> Subject:      Re: High Performance Firewall solution?
>
>
> Trust me we've looked at this sorta thing already.  Problem is when we
> need to support ICMP (for ping/traceroute testing), SNMP for Oracle (UDP
> traffic) from certain clients some with dynamic IP's.  We also need to
> allow ftp to certain machines for customer uploads.  Also the Win95/NT ssh
> client sucks compared to the *nix version.  Allowing our two offices and
> telecomuters VPN access to the webservers, the DB machines, and NT boxes
> which do on the fly rendering is what we're looking for.

<snip>
> > Piece o' cake. Take whatever seriously muscular router tickles your
> > fancy --- say a pair of Cisco 7513s running a load-balancing dual-HSRP
> > config:-). Tell it to block everything except port 80. Or perhaps your
> > WSD will do this for you. Next, audit those web servers behind so they
> > do _not_ have bugs in their CGIs (which in general no firewall is going
> > to help with).