RE: Firewall(s) "maxed" out

["Regan, Sharon" <Sharon_Regan () newcourt com>]

Hi: 

Sorry for the delay in getting back to you, but we're a three person
internetwork shop supporting a user population of 5,000 +

Anyway, I believe we have found the new "killer" app.  There are all types
of these free e-mail "services" (if you will), like yahoomail and hotmail,
etc.  Well, there's this new one called visto.

What this one does is allow a user to "synchronize" his/her regular
(company) e-mail with his/her visto mail, calendar, etc., such that,
whenever a new message arrives in the corporate mailbox, you see it in the
visto mailbox.  The users download an app from visto which runs in the
background on the office desktop machine, and which then tunnels data back
to visto inside of HTTP.  So, on the surface of things, it just looks like a
regular browser session.

We're finding increasing numbers of users availing themselves of this
"service" .... word spreads like wildfire among the masses  .... our
firewalls work harder, longer, require more disk space to log all this
stuff, there is additional traffic on the Internet T-1 (which is not there
for the exclusive use of employees ... we actually do e-business ! ), etc.

I've rebuilt my kernel and added more disk space since I posted to the list,
but I'm seriously considering putting an access-list on the serial interface
of my internet edge router and be done with it, once and for all.

Sharon 


-----Original Message-----
From: Crumrine, Gary L [mailto:CrumrineGL () state gov]
Sent: Thursday, October 14, 1999 1:14 PM
To: Regan, Sharon
Subject: RE: Firewall(s) "maxed" out


Sharon, did you have a look at your logs yet?  Just wondering if my hunch
was correct.  I saw another post that mirrored my comment.

Gary

-----Original Message-----
From: Regan, Sharon [mailto:Sharon_Regan () newcourt com]
Sent: Thursday, October 07, 1999 4:02 PM
To: 'firewall-wizards () nfr net'
Subject: Firewall(s) "maxed" out


Hello People: 

My organization has two primary Internet firewalls at two separate
locations.  One is a Raptor V4.0 running on Solaris 2.5.1 and the other is
Altavista 96 running on D-UNIX V3.2C.

During the past two days, both of these firewalls became "maxed" out, for
lack of a better term.  Specifically, both machines had reached their
maxtask limits and could no longer fork any new processes.  A check of the
systems revealed very large numbers of HTTP connections from individual
internal client workstations.  

Does anyone know of some "new" browser plug-in or service pack which could
be responsible for this ??  It has been suggested that IE5 runs each new
browser window as a separate process and that perhaps this could somehow be
responsible.  The problem was first exhibited at one of our locations
yesterday, and then at the second one today.

Both firewalls are old and have been in production for many years.  Neither
can be replaced / upgraded due to a Y2K freeze.

Any ideas on what the culprit could be would be appreciated. 

Thanks. 

SR