Re: [High Speed Firewalls]

[Paul Boyer <Paul.Boyer () paulboyer org>]

Right now, you can easily have a Gigabit firewall by using 2 level 4
switches and 10 decent firewalls.
Have a look to alteon firewall load balancing switches.

The main idea of doing firewall load balancing:

1 sitch taking Gb in, distributing to 8 (or more) firewalls on 100bT
links
back from the 8 (or more) FW to an other switch, and voila, the Gig
firewalled back.

Note that Linux on a single high end PC can do more than a PIX for a
small part of the price.
Linux now supports 1000bT cards pretty well, so you can expect a full
featured Gb/s firewall on Linux within a few months, for less than the
price of the switch you'll plug it in !

My company sells right now firewall boxes on linux that can handle 150
Mb/s throughput (cumulated on all interfaces).
Note that those data is very depending upon the nature of the bandwidth.
You can seriously take down any high speed box with only 50Mb/s of tiny
packets or (even worse) fragmented packets, while it can handle a single
ftp download of a 100GB like a charm.
150Mb/s is less than the maximum bandwdth you can get, and more than the
worse. It is fairly less than the amount of Web and database traffic you
can accept if the packets are not too thin.

Try sending 30 byte random unmatched IP fragments at a 2Mb/s rate to a
Giga speed firewall, you will hurt it pretty seriously (some will
probably die). Kind of a DoS...

Paul Boyer

James Vaughn wrote:
> Hi,
>
> I'd recommend checking into a hardware-based firewall solution, rather
> than a software firewall.  Hardware solutions are specifically designed
> for the volume of traffic about which you're speaking.  Check www.f5.com for
> their BigIP product (which is an internet-centric load-balancing, FW/etc.
> machine -- i.e., more than just a firewall; depends on why you need this) or
> www.cisco.com and look into their PIX solutions.
>
> There are others out there, too -- but these are the ones with which I'm
> familiar and trust.
>
> BTW -- Tried to send you an email directly (to save bandwidth on the nfr list)
> but the email was rejected:
>
> <hbaez () eos hitc com>:
> Connected to 38.177.222.21 but sender was rejected.
> Remote host said: 550 Access denied
>
> Probably a spam filter.  ;^)
>
> - James D Vaughn
>
> Henry Baez <hbaez () eos hitc com> wrote:
> > I am doing research on very high speed firewalls.  I mean firewalls that
> > are right now available that could handle OC3 and higher speeds via Gig
> > Byte Etherenet cards.  In searching the recent posting of this list and
> > a lot of general web searching, I have found only one firewall that
> > claims they can do so.  It is call POTUS from a company called Livermore
> > Software Laboratories.  I would very much like to find at lease another
> > vendor which at lease matches the claim of PORTUS, 300 MB plus through
> > put.  Management, bless them, likes to have choices, I would like to
> > present more then one vendor if possiable.
> >
> > I have experiences with two commercial firewalls, Checkpoint and
> > Gauntlet, and one freeware firewall, Ipfilter.  But the links where way
> > under 10 Meg Byte.  None of the firewalls I have work on 'claim' the
> > speeds I am looking for.  All the magazines 'test/reviews' I have looked
> > at top out at about 150 Meg. Byte.  The number of users for this project
> > would not be large, but each one would be moving Gig Byte size files
> > across the world.
> >
> >
> > Thanks,
> >
> > Henry Baez
> > hbaez () eos hitc com
>
> > ---------------------------------------------
> >       Attachment: hbaez.vcf
> >       MIME Type: text/x-vcard
> > ---------------------------------------------
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1