RE: High Performance Firewall solution?

["Aaron D. Turner" <aturner () vicinity com>]

Bennet isn't talking about having a IP tunnel server behind the router in
this statement which you quote. 

Actually something along the lines of what you're talking about is sorta
what I originally had in mind without the extra cost of big Cisco routers
and their subsequent cost in $$$ and latency.

The WSD's are already capable of implementing a simple ACL with minimal
performance hit.  But as we all know the more ACL's you put in, the more
CPU utilization goes up, and the increased latency, and finally decreased
response and throughput to the end user.  So you either get
bigger/faster/more expensive routers to handle the throughput or don't
send your encrypted traffic through the protecting router (in this case
the WSD).

So what we're looking for is basically a proxying firewall (at least that
seems to make the most sense to me) that can sit next to (logically) to
the WSD's.  The reason is simple.  The WSD's are the default route for the
web farm.  Hence the only way to get secure traffic ultimately destined
for an authenticated user on the internet at large is for the web server
to think that it's talking to a host on the local network- ie the
firewall.

Think of it this way:  All http traffic goes through the WSD to the web
farm (everything else is blocked).  All other traffic is forced to go
through the firewall. 

------
Aaron Turner, CNE                        |  Email: aturner () vicinity com
Network Engineer                         |  Voice: 650.237.0311 x252
Vicinity Corp.  http://www.vicinity.com  |  Fax:   650.237.0305
Email-to-alpha-page: 4155721411.1146752 () pagenet net [Subject & Body sent]

On Mon, 9 Feb 1998, Stout, William wrote:

> That answer sounded good to me.  Why is a packet filter not appropriate?
>  Behind that you can use an IP tunnel server or protocol-specific
> encryption, plus strong authentication.  Then an IDS to catch those who
> might've gotten through the packet filter.  I like Cisco routers, but
> NSC borderguard routers respond to Wheelgroup IDS software (Borderware,
> Borderguard) and they also have R-R VPN capability (data 'sleeves').
>
> AFA dial-up/tunnel client performance (ref Windows), poor performance
> may be caused by MTU setting of 1500 vs. 576 (which works much better)
> and other default Windows settings.  F/R and ATM also impact performance
> WRT packet size due to packet assembly/disassembly.
>
> Bill Stout
>
>
> > ----- Original Message -----
> > From:       Aaron D. Turner [SMTP:aturner () vicinity com]
> > Sent:       Tuesday, February 03, 1998, 12:15:00
> > Subject:    Re: High Performance Firewall solution?
> >
> >
> > Trust me we've looked at this sorta thing already.  Problem is when we
> > need to support ICMP (for ping/traceroute testing), SNMP for Oracle (UDP
> > traffic) from certain clients some with dynamic IP's.  We also need to
> > allow ftp to certain machines for customer uploads.  Also the Win95/NT ssh
> > client sucks compared to the *nix version.  Allowing our two offices and
> > telecomuters VPN access to the webservers, the DB machines, and NT boxes
> > which do on the fly rendering is what we're looking for.
>
> <snip>
> > > Piece o' cake. Take whatever seriously muscular router tickles your
> > > fancy --- say a pair of Cisco 7513s running a load-balancing dual-HSRP
> > > config:-). Tell it to block everything except port 80. Or perhaps your
> > > WSD will do this for you. Next, audit those web servers behind so they
> > > do _not_ have bugs in their CGIs (which in general no firewall is going
> > > to help with).