Firewall Wizards mailing list archives

Re: High Speed Firewalls

From: Bennett Todd <bet () rahul net>
Date: Thu, 2 Mar 2000 10:56:01 -0500

2000-03-02-10:40:10 woody weaver:

2000-03-01-20:18:13 Bennett Todd:

If you are firewalling some staggeringly huge number of clients,
1Gbps worth, place multiple firewalls downstream, where this fat
pipe has been broken up for distribution.


I came across this yesterday, oddly enough. Agregates from
hundreds to thousands of DSLAMs, feeding directly into a data
center. No good place to put the firewall downstream!


Are these the kind of clients that need hard-core firewall
protection --- corporate users who can be told to FOAD if they
ask for NetMeeting, ICQ, etc? Or are these people for whom the
"firewall" is gonna be ingress filtering, blocking IP directed
broadcast, blocking traffic with src|dst tcp|udp ports 135-139, and
maybe blocking the RFC 1918 addrs? For such light-scale firewalling,
a router would be the box of choice with Gbps load having to be
carried.

An alternate approach is to use a "firewall sandwich" approach
with load balancers at the perimeter of each security domain,
multiplexing into the multiple firewalls.  The load balancers have
to be "sticky", directing a particular IP flow consistently to the
same firewall, so state is preserved, but this is fairly normal
today.


What's the state of the art in H-A load balancers handling Gbps
levels? The only load balancer I've used enough to really trust it
in all its behavior, including H-A failover, is the LocalDirector,
and last I heard it maxes out somewhere in the neighborhood of
80Mbps. The thing I really love about the LocalDirector is the
way it automatically balances to track varying performance of
the members of the farm. Maybe a faster-but-dumber load balancer
could be front-ended onto a small farm of a dozen or so H-A pairs
of LocalDirectors. Hmm. With an infinite purchasing budget, vast
amounts of rack space, and a pretty hefty power and A/C budget
ongoing, perhaps you really could do serious, heavy-duty firewalling
of a Gbps.

One nice thing about this approach is that it also addresses
redundancy/reliability issues, since most load balancers have
a mechanism for automatically routing around a failed firewall
device.


They have to. Keeping N boxes all working perfectly, nearly all the
time, grows nearly impossible as N grows.

-Bennett

Attachment: _bin
Description:

Current thread:

High Speed Firewalls Henry Baez (Mar 01)
- Re: High Speed Firewalls Bennett Todd (Mar 01)
  - Re: High Speed Firewalls woody weaver (Mar 02)
    - Re: High Speed Firewalls Bennett Todd (Mar 02)
- Re: High Speed Firewalls Darren Reed (Mar 01)
- Re: High Speed Firewalls Bill Pennington (Mar 02)
  - Re: High Speed Firewalls Ryan McBride (Mar 05)
  - Message not available
    - Re: High Speed Firewalls Bruce Byrd (Mar 06)
- PORTUS (was Re: High Speed Firewalls) Josef Pojsl (Mar 02)
- Re: High Speed Firewalls Rick Murphy (Mar 02)
- <Possible follow-ups>
- RE: High Speed Firewalls Dippold, John (Mar 01)
- Re: High Speed Firewalls Robert Graham (Mar 01)
  - Re: High Speed Firewalls ddhumphr (Mar 02)
    - Re: High Speed Firewalls Carric Dooley (Mar 02)

(Thread continues...)