Firewall Wizards mailing list archives

RE: Speeds and feeds

From: "Moser, Stefan" <stefan.moser () csfb com>
Date: Fri, 29 May 1998 12:06:45 +0100

Bill,

Looking at the equation from the firewall speed side I would also consider
the Cisco PIX and FireWall-1 running on a Nokia switch.

Looking at the Nokia, it has a couple of cool features like VRRP support
and traffic shaping. So even if you'd still be forced to use multiple feeds
for performance reasons, it might simplify your setup/eliminate the need
for custom scripting etc. They're fairly cheap too. Obviously you kinda
have to like Firewall-1....

Just my $0.02

-Stefan

-----Original Message-----
From: Stout, Bill [SMTP:StoutB () pioneer-standard com]
Sent: Tuesday, May 26, 1998 7:07 PM
To:   Firewall-wizards
Subject:      Speeds and feeds

I'm working with a company currently using a T1 which becomes very
sluggish when engineers do many FTP and HTTP sessions through a state
firewall on a Netra-1 (firewall is not a bottleneck).  They're thinking
of upgrading to a T3 with a fast proxy server (+ VPN) since they also
are running out of IPs, and internal systems are getting hit by external
packets.

My knee-jerk reaction is to use a very fast CPU system (600MHz Alpha)
and Altavista FW with 100Mbps cards.
                                             webservers
                         |
  Internet--(T3)---R1---FW---+----R2----Internal LAN
                            VPN
                         Tunnel Svr

I'm wondering about alternatives to the situation, one is multiple T1s
coming into a set of BGP net for redundancy, and to partition FTP/HTTP
proxies on one server, and remaining traffic on a second server
(allowing future cluster or fail-over via scripts and IP failover of
secondaries).  Although this actually may be cheaper, faster and more
reliable, but it's more complex, and harder for the company to fix if it
dies (fails into a degraded mode).  Also most local traffic may route
through a single T1, and they may inadvertantly become an Internet
eXchange.

    Internet
    | | | 
   (n+1 T1s)
    | | | 
  Cisco 2500s
    | | | 
  Hub/switch
    |    |
 FW-A   FW-B

FW-A could be used for outbound client system access, and FW-B could be
used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
etc).  A dual-subnet webfarm could connect to third interface on both.
Hmm, too complex maybe.

Opinions?

Bill Stout

Current thread:

Speeds and feeds Stout, Bill (May 28)
- Re: Speeds and feeds Bennett Todd (May 29)
  - Re: Speeds and feeds Kelly Lucas (May 30)
- <Possible follow-ups>
- RE: Speeds and feeds Moser, Stefan (May 29)
- Re: Speeds and feeds tqbf (May 29)
- Re: Speeds and feeds Ryan Russell (May 30)
- Re: Speeds and feeds Eric Holst (May 30)
- Re: Speeds and feeds Bruce B. Platt (May 30)
- Re: Speeds and feeds Rodney van den Oever (May 30)
- Re: Speeds and feeds Drexx Depuno (May 30)