Firewall Wizards mailing list archives
RE: High Performance Firewall solution?
From: "Aaron D. Turner" <aturner () vicinity com>
Date: Mon, 9 Feb 1998 18:43:31 -0800 (PST)
Bennet isn't talking about having a IP tunnel server behind the router in this statement which you quote. Actually something along the lines of what you're talking about is sorta what I originally had in mind without the extra cost of big Cisco routers and their subsequent cost in $$$ and latency. The WSD's are already capable of implementing a simple ACL with minimal performance hit. But as we all know the more ACL's you put in, the more CPU utilization goes up, and the increased latency, and finally decreased response and throughput to the end user. So you either get bigger/faster/more expensive routers to handle the throughput or don't send your encrypted traffic through the protecting router (in this case the WSD). So what we're looking for is basically a proxying firewall (at least that seems to make the most sense to me) that can sit next to (logically) to the WSD's. The reason is simple. The WSD's are the default route for the web farm. Hence the only way to get secure traffic ultimately destined for an authenticated user on the internet at large is for the web server to think that it's talking to a host on the local network- ie the firewall. Think of it this way: All http traffic goes through the WSD to the web farm (everything else is blocked). All other traffic is forced to go through the firewall. ------ Aaron Turner, CNE | Email: aturner () vicinity com Network Engineer | Voice: 650.237.0311 x252 Vicinity Corp. http://www.vicinity.com | Fax: 650.237.0305 Email-to-alpha-page: 4155721411.1146752 () pagenet net [Subject & Body sent] On Mon, 9 Feb 1998, Stout, William wrote:
That answer sounded good to me. Why is a packet filter not appropriate? Behind that you can use an IP tunnel server or protocol-specific encryption, plus strong authentication. Then an IDS to catch those who might've gotten through the packet filter. I like Cisco routers, but NSC borderguard routers respond to Wheelgroup IDS software (Borderware, Borderguard) and they also have R-R VPN capability (data 'sleeves'). AFA dial-up/tunnel client performance (ref Windows), poor performance may be caused by MTU setting of 1500 vs. 576 (which works much better) and other default Windows settings. F/R and ATM also impact performance WRT packet size due to packet assembly/disassembly. Bill Stout----- Original Message ----- From: Aaron D. Turner [SMTP:aturner () vicinity com] Sent: Tuesday, February 03, 1998, 12:15:00 Subject: Re: High Performance Firewall solution? Trust me we've looked at this sorta thing already. Problem is when we need to support ICMP (for ping/traceroute testing), SNMP for Oracle (UDP traffic) from certain clients some with dynamic IP's. We also need to allow ftp to certain machines for customer uploads. Also the Win95/NT ssh client sucks compared to the *nix version. Allowing our two offices and telecomuters VPN access to the webservers, the DB machines, and NT boxes which do on the fly rendering is what we're looking for.<snip>Piece o' cake. Take whatever seriously muscular router tickles your fancy --- say a pair of Cisco 7513s running a load-balancing dual-HSRP config:-). Tell it to block everything except port 80. Or perhaps your WSD will do this for you. Next, audit those web servers behind so they do _not_ have bugs in their CGIs (which in general no firewall is going to help with).
Current thread:
- High Performance Firewall solution? Aaron D. Turner (Feb 02)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)
- Re: High Performance Firewall solution? Aaron D. Turner (Feb 03)
- <Possible follow-ups>
- RE: High Performance Firewall solution? Stout, William (Feb 09)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 09)
- Reactive Firewalls Aleph One (Feb 09)
- Re: Reactive Firewalls Rick Smith (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 10)
- RE: High Performance Firewall solution? Aaron D. Turner (Feb 11)
- RE: High Performance Firewall solution? Stout, William (Feb 14)
- Re: High Performance Firewall solution? Bennett Todd (Feb 03)