Firewall Wizards mailing list archives
Re: [High Speed Firewalls]
From: Paul Boyer <Paul.Boyer () paulboyer org>
Date: Fri, 03 Mar 2000 17:39:06 +0100
Right now, you can easily have a Gigabit firewall by using 2 level 4 switches and 10 decent firewalls. Have a look to alteon firewall load balancing switches. The main idea of doing firewall load balancing: 1 sitch taking Gb in, distributing to 8 (or more) firewalls on 100bT links back from the 8 (or more) FW to an other switch, and voila, the Gig firewalled back. Note that Linux on a single high end PC can do more than a PIX for a small part of the price. Linux now supports 1000bT cards pretty well, so you can expect a full featured Gb/s firewall on Linux within a few months, for less than the price of the switch you'll plug it in ! My company sells right now firewall boxes on linux that can handle 150 Mb/s throughput (cumulated on all interfaces). Note that those data is very depending upon the nature of the bandwidth. You can seriously take down any high speed box with only 50Mb/s of tiny packets or (even worse) fragmented packets, while it can handle a single ftp download of a 100GB like a charm. 150Mb/s is less than the maximum bandwdth you can get, and more than the worse. It is fairly less than the amount of Web and database traffic you can accept if the packets are not too thin. Try sending 30 byte random unmatched IP fragments at a 2Mb/s rate to a Giga speed firewall, you will hurt it pretty seriously (some will probably die). Kind of a DoS... Paul Boyer James Vaughn wrote:
Hi, I'd recommend checking into a hardware-based firewall solution, rather than a software firewall. Hardware solutions are specifically designed for the volume of traffic about which you're speaking. Check www.f5.com for their BigIP product (which is an internet-centric load-balancing, FW/etc. machine -- i.e., more than just a firewall; depends on why you need this) or www.cisco.com and look into their PIX solutions. There are others out there, too -- but these are the ones with which I'm familiar and trust. BTW -- Tried to send you an email directly (to save bandwidth on the nfr list) but the email was rejected: <hbaez () eos hitc com>: Connected to 38.177.222.21 but sender was rejected. Remote host said: 550 Access denied Probably a spam filter. ;^) - James D Vaughn Henry Baez <hbaez () eos hitc com> wrote:I am doing research on very high speed firewalls. I mean firewalls that are right now available that could handle OC3 and higher speeds via Gig Byte Etherenet cards. In searching the recent posting of this list and a lot of general web searching, I have found only one firewall that claims they can do so. It is call POTUS from a company called Livermore Software Laboratories. I would very much like to find at lease another vendor which at lease matches the claim of PORTUS, 300 MB plus through put. Management, bless them, likes to have choices, I would like to present more then one vendor if possiable. I have experiences with two commercial firewalls, Checkpoint and Gauntlet, and one freeware firewall, Ipfilter. But the links where way under 10 Meg Byte. None of the firewalls I have work on 'claim' the speeds I am looking for. All the magazines 'test/reviews' I have looked at top out at about 150 Meg. Byte. The number of users for this project would not be large, but each one would be moving Gig Byte size files across the world. Thanks, Henry Baez hbaez () eos hitc com--------------------------------------------- Attachment: hbaez.vcf MIME Type: text/x-vcard ---------------------------------------------____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: [High Speed Firewalls] James Vaughn (Mar 01)
- Re: [High Speed Firewalls] Gwendolynn ferch Elydyr (Mar 02)
- Re: [High Speed Firewalls] Paul Boyer (Mar 05)
- Re: [High Speed Firewalls] Darren Reed (Mar 06)
- Re: [High Speed Firewalls] Paul Boyer (Mar 06)
- Re: [High Speed Firewalls] Darren Reed (Mar 06)
- Re: [High Speed Firewalls] Paul Boyer (Mar 06)
- Re: [High Speed Firewalls] Darren Reed (Mar 06)
- <Possible follow-ups>
- RE: [High Speed Firewalls] Woeltje, Donald (Mar 02)
- RE: [High Speed Firewalls] Dippold, John (Mar 02)
- RE: [High Speed Firewalls] Woeltje, Donald (Mar 03)