Firewall Wizards mailing list archives

Re: ethernet-to-ethernet router: a piece of the puzzle

From: Patrick Darden <darden () armc org>
Date: Thu, 14 Dec 2000 08:46:55 -0500 (EST)



A Cisco 2600 would do the trick.  A 3600 would give you room to grow,
interface wise; and a top end 3600 (3660) would give you plenty of cpu in
case you needed it later.  Are the VPNs ptp?  E.g. if you have two PCs
using a vpn client, then the router would have no extra overhead.  If the
router is one end of a branch-branch or client-server tunnel, then you
would need more cpu, depending on the bandwidth and encryption scheme.

A Nortel CES would do the job really well, as a router, vpn engine, and
even firewall.  I would think a CES 2600 would do it (3des, ipsec, 65Mbps
throughput, 1000 tunnels.)  The windows client software for the CES
rocks--lightweight, small footprint, easy to use, and conflicts with
nothing.

Linux on a PII 450 with 128MB ram and a 20GB hd would do it as well, using
FreeSWAN and IPchains.  Harden the OS though (Bastille would do this for
you.)  Great solution.  Inexpensive too.  

*BSD is a great OS, but I haven't used it in years, so I don't know what
firewall/vpn/routing capabilities it has....  Rock solid, great
networking, fantastic os.

-- 
--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center

On Wed, 13 Dec 2000, Irwin R. Naumann wrote:

What would you recommend as an ethernet-to-ethernet "router" situated between
a 10Mb fibre link WAN and an ethernet LAN?

This would be the first piece of an in-depth security defense.

Requirements:
o ingress/egress filtering for RFC1918 addresses, spoofed addresses, reserved
  network addresses, NETBIOS, other specific ports
o FTP traffic from web/ftp server (5-10 MB per download)
o routing minimum 2 Class C network equivalents
o VPN for 5-10 users
o DMZ

There will a Stateful Packet Filter firewall sitting between the "router"
and the LAN.

Would you recommend a hardware only solution?

What size CPU and memory would adequately handle a *BSD solution running ipfilter
with 2 or 3 NIC's?

I have begun to look at the Gnatbox, Netopia 9100R, Cayman Router, 
Cisco 1600 Series, SonicWall Pro, Multicom Ethernet II, WebRamp 700.

Experiences with any of the above appreciated.

Does anyone in *North America* have experience with Lightning's Multicom
Ethernet II router?

Thanks,

   Irwin

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

ethernet-to-ethernet router: a piece of the puzzle Irwin R. Naumann (Dec 14)
- Re: ethernet-to-ethernet router: a piece of the puzzle Patrick Darden (Dec 15)
  - RE: ethernet-to-ethernet router: a piece of the puzzle Todd Schroeder (Dec 20)
    - RE: ethernet-to-ethernet router: a piece of the puzzle Michael Nelson (Dec 24)
- Re: ethernet-to-ethernet router: a piece of the puzzle Tom Kistner (Dec 15)