Firewall Wizards mailing list archives
Re: Next Generation Security Architecture
From: Brian Ford <brford () cisco com>
Date: Tue, 27 Feb 2001 16:30:31 -0500
John,
I think they're using the Nokia load balancers (I prefer Cisco, but Cisco still can't loadbalance GigE)
Have you taken a look at the CSS11000 line (formerly ArrowPoint)? You can do some remarkable things (including firewall load balancing) with these things.
We can group up to 8 PIX firewalls together at 100 MBPS between a pair of the lower end CSS11800. That is GigE in and out of the CSS11800s and 8 100MBPS Full Duplex firewalls in between. Or you can go with the higher end CS11000s that sandwich configuration using up to 8 CSS GigE blades and use five PIX 535 with GigE (535 does GigE throughput). That's a 4 GB firewall solution with the fifth PIX in there to make sure you have bandwidth in the event of a failure. The CSS switches poll the firewalls and work around them in the event of a failure.
Regards, Brian At 02:28 PM 2/27/2001 -0500, John Adams wrote:
Lucent has a paper on firewalling Gigabit Ethernet between multiple firewalls at http://www.lucent.com/ins/library/pdf/white_papers/BRICK_WP.pdf I think they're using the Nokia load balancers (I prefer Cisco, but Cisco still can't loadbalance GigE) --john On Mon, 26 Feb 2001, Brian Ford wrote: > Ng, > > > > > What about things like the cisco > > > LocalDirector? Although I'm not quite sure whether that's a reverse > > > proxy or a tcp load balancer :-]. > > > >It's a dead product. Cisco now peddles Arrowpoint. ;-) > > Buzzzz. Sorry. Wrong answer. > > We still sell LocalDirector (the load balancer) as a Enterprise > product. Not everyone needs multi GigE feeds and speeds of the CSS > switches (darn!). > > Regarding >> > > AFAIK some of the commercial reverse proxies will perform authentication> > > on behalf of the webserver. > and > >Apart from the (imho fallacious) warm fuzzy feeling that "our real> >webserver is no longer exposed to direct attack from the Internet", I don't> >see value in a reverse proxy > > Wouldn't the addition remove some of the load from the server. I know it > does from mine. I use the Cut-through proxy in the PIX to authenticate > users looking at my server (on the Cisco intranet). > > Regards, > > Brian > > >Date: Mon, 26 Feb 2001 23:11:20 +0800 > >From: Ng Pheng Siong <ngps () post1 com> > >To: Robert Collins <robert.collins () itdomain com au> > >Cc: firewall-wizards () nfr net> >Subject: Re: [fw-wiz] Next Generation Security Architecture - TO MODERATOR> >- CORRECTED COPY > > > >On Thu, Feb 22, 2001 at 08:20:47AM +1100, Robert Collins wrote: > > > From: "Ng Pheng Siong" <ngps () post1 com> > > > > Reverse proxies break X.509 cert-based client authentication. > > > > > > I don't believe there's any protocol level reason why the reverse proxy > > > cannot perform the X.509 certificate authentication itself. Certainly > > > the web server AND the reverse proxy cannot both perform that > > > authentication. > > > >You're right on both counts. > > > >> > > AFAIK some of the commercial reverse proxies will perform authentication> > > on behalf of the webserver. > > > >Then the reverse proxy is really telling the webserver "trust me" when > >communicating the identity of the client. > > > >Apart from the (imho fallacious) warm fuzzy feeling that "our real> >webserver is no longer exposed to direct attack from the Internet", I don't> >see value in a reverse proxy - the reverse proxies I've seen in production > >simply relay stuff back and forth. > > > > > > > What about things like the cisco > > > LocalDirector? Although I'm not quite sure whether that's a reverse > > > proxy or a tcp load balancer :-]. > > > >It's a dead product. Cisco now peddles Arrowpoint. ;-) > > > >-- > >Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards () nfr com > http://www.nfr.com/mailman/listinfo/firewall-wizards > -- J. Adams http://www.retina.net/~jna You are supposed to be a consumer, a black hole for goods, advertising and content. They only want to allocate enough upstream bandwidth for 10,000,000 buy buttons. Producing or sharing information is a subversive act and will not be tolerated. -anonymous coward on /.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Next Generation Security Architecture, (continued)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture John Adams (Feb 27)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)