Re: Speeds and feeds

["Rodney van den Oever" <roever () nse simac nl>]

> I'm working with a company currently using a T1 which becomes very
> sluggish when engineers do many FTP and HTTP sessions through a state
> firewall on a Netra-1 (firewall is not a bottleneck).  They're thinking

Then why bother upgrading the firewall?


May I suggest an internal caching proxyserver?

> of upgrading to a T3 with a fast proxy server (+ VPN) since they also


A proxyserver will always be slower that a  packet-filter or state full
inspection type of firewall.

> are running out of IPs, and internal systems are getting hit by external
> packets.


Configure the firewall for address translation and of course block traffic
to internal hosts.

> I'm wondering about alternatives to the situation, one is multiple T1s
> coming into a set of BGP net for redundancy, and to partition FTP/HTTP
> proxies on one server, and remaining traffic on a second server


Dual (active) parallel firewalls, twice the effort needed to monitor and
secure these hosts. It would compare it to resistors in parallel: total
resistance is halved.

Cisco's HSRP (can FW-1 deal with that?) for the internal router would be a
better redundancy solution.

>    Internet
>    | | |
>   (n+1 T1s)
>    | | |
>  Cisco 2500s


I don't think a 2500 can't handle a T3 (max. 8Mbps), especially if your also
using access-lists. You probably need a 36xx or 72xx for that.


>    | | |
>  Hub/switch
>    |    |
> FW-A   FW-B

> FW-A could be used for outbound client system access, and FW-B could be
> used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
> etc).  A dual-subnet webfarm could connect to third interface on both.
> Hmm, too complex maybe.


--
Rodney van den Oever / 06 55868577 / PGP Key ID 0x0A6CCE53
When asked by an anthropologist what the Indians called America
before the white man came, an Indian said simply "ours". - Vine Deloria, Jr.