Firewall Wizards mailing list archives
Re: High Speed Firewalls
From: Bennett Todd <bet () rahul net>
Date: Thu, 2 Mar 2000 10:56:01 -0500
2000-03-02-10:40:10 woody weaver:
2000-03-01-20:18:13 Bennett Todd:If you are firewalling some staggeringly huge number of clients, 1Gbps worth, place multiple firewalls downstream, where this fat pipe has been broken up for distribution.I came across this yesterday, oddly enough. Agregates from hundreds to thousands of DSLAMs, feeding directly into a data center. No good place to put the firewall downstream!
Are these the kind of clients that need hard-core firewall protection --- corporate users who can be told to FOAD if they ask for NetMeeting, ICQ, etc? Or are these people for whom the "firewall" is gonna be ingress filtering, blocking IP directed broadcast, blocking traffic with src|dst tcp|udp ports 135-139, and maybe blocking the RFC 1918 addrs? For such light-scale firewalling, a router would be the box of choice with Gbps load having to be carried.
An alternate approach is to use a "firewall sandwich" approach with load balancers at the perimeter of each security domain, multiplexing into the multiple firewalls. The load balancers have to be "sticky", directing a particular IP flow consistently to the same firewall, so state is preserved, but this is fairly normal today.
What's the state of the art in H-A load balancers handling Gbps levels? The only load balancer I've used enough to really trust it in all its behavior, including H-A failover, is the LocalDirector, and last I heard it maxes out somewhere in the neighborhood of 80Mbps. The thing I really love about the LocalDirector is the way it automatically balances to track varying performance of the members of the farm. Maybe a faster-but-dumber load balancer could be front-ended onto a small farm of a dozen or so H-A pairs of LocalDirectors. Hmm. With an infinite purchasing budget, vast amounts of rack space, and a pretty hefty power and A/C budget ongoing, perhaps you really could do serious, heavy-duty firewalling of a Gbps.
One nice thing about this approach is that it also addresses redundancy/reliability issues, since most load balancers have a mechanism for automatically routing around a failed firewall device.
They have to. Keeping N boxes all working perfectly, nearly all the time, grows nearly impossible as N grows. -Bennett
Attachment:
_bin
Description:
Current thread:
- High Speed Firewalls Henry Baez (Mar 01)
- Re: High Speed Firewalls Bennett Todd (Mar 01)
- Re: High Speed Firewalls woody weaver (Mar 02)
- Re: High Speed Firewalls Bennett Todd (Mar 02)
- Re: High Speed Firewalls woody weaver (Mar 02)
- Re: High Speed Firewalls Darren Reed (Mar 01)
- Re: High Speed Firewalls Bill Pennington (Mar 02)
- Re: High Speed Firewalls Ryan McBride (Mar 05)
- Message not available
- Re: High Speed Firewalls Bruce Byrd (Mar 06)
- Re: High Speed Firewalls Bennett Todd (Mar 01)
- PORTUS (was Re: High Speed Firewalls) Josef Pojsl (Mar 02)
- Re: High Speed Firewalls Rick Murphy (Mar 02)
- <Possible follow-ups>
- RE: High Speed Firewalls Dippold, John (Mar 01)
- Re: High Speed Firewalls Robert Graham (Mar 01)
- Re: High Speed Firewalls ddhumphr (Mar 02)
- Re: High Speed Firewalls Carric Dooley (Mar 02)
- Re: High Speed Firewalls ddhumphr (Mar 02)