RE: Sizing a firewall

["Dom De Vitto" <dom () devitto com>]

DON'T just have them browse right out!
Cache/Proxy chain a couple of times - this will massively reduce your
traffic, esp. if you also run a caching name server before your T1.

I'd also recommend some kinda content/virus checker in the chain and
the last 'hop' before the 'net being an application-level firewall
(this would also running a caching name server, only serving requests
on i/f 127.0.0.1).

This is fine for at least up to 5k clients (with two 'chains', going
out of two 6 Meg lines, to two different ISP at two geographic
locations - we can manually switch all traffic through either pipe)

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto
Secure Technologies Ltd.                           Mob. 07971 589 201
mailto:dom () devitto com                             Tel. 01202 738 767
http://www.devitto.com                             Fax. 08700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


-----Original Message-----
From: owner-firewall-wizards () lists nfr net
[mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Walt Sullivan
Sent: Wednesday, December 29, 1999 11:19 PM
To: firewall-wizards () nfr net
Subject: Sizing a firewall


I'm consulting for a Canadian government agency that plans to allow
desktop access to the Internet for the first time next year (yes, I
know, "Forward into the 70's", but is is government).

They think they have about 25,000 desktops (Windows 95/98, shudder).

How can I help them predict the amount of traffic they'll see on their
T1 connection?

Is there anybody out there running a firewall for 25K desktops that is
willing to share an order-of-magnitude guess?

Thanks,

Walt

-- 
Walt Sullivan
UNIX & Networks, Security & SysAdmin
walt () trytel com

Attachment: Domenico De Vitto.vcf
Description: