Re: High Speed Firewalls

[Bennett Todd <bet () rahul net>]

A few comments. First off, there aren't many interfaces that run at
"Gig Byte" [sic]. The fastest ethernet I've seen runs at one Giga
bit per second. That's "bit", not "byte". This is often written
Gbps. In a confusingly terse bit of notation, bit is abbreviated "b"
and byte is abbreviated "B". So a traditional ethernet is 10Mbps. It
turns out, with protocol overhead taken into account, the most you
can hope to push through a really clean traditional ethernet (e.g. a
fully-switched net) is c. 1MB/s (8Mbps).

On to fast firewalls, the topic you were asking about.

I've seen some discussion on this lately. There are probably a few
candidates out there that claim to do some very limited amount of
stateful packet filtering at speeds approaching 1Gbps. But the best
course is almost always to avoid attempting to firewall 1Gbps.
Firewall something smaller.

If you are firewalling servers, just harden them all instead. Run
packet filtering on them, eliminate unnecessary services, etc.

If you are firewalling some staggeringly huge number of clients,
1Gbps worth, place multiple firewalls downstream, where this fat
pipe has been broken up for distribution.

The only "firewalling" I'd recommend doing at 1Gbps is the sort that
can be done on any modern router: simple static filtering rules.
Do ingress/egress filtering, blocking forged source addrs from
entering or leaving the local net with the static route on the
router. Block all RFC 1918 traffic from coming through. Block all IP
Directed Broadcast packets.

-Bennett

Attachment: _bin
Description: