Firewall Wizards mailing list archives

Re: Next Generation Security Architecture

From: Brian Ford <brford () cisco com>
Date: Tue, 27 Feb 2001 16:30:31 -0500

John,

I think they're using the Nokia load balancers (I prefer Cisco, but Cisco
still can't loadbalance GigE)

Have you taken a look at the CSS11000 line (formerly ArrowPoint)? You cando some remarkable things (including firewall load balancing) with thesethings.

We can group up to 8 PIX firewalls together at 100 MBPS between a pair ofthe lower end CSS11800. That is GigE in and out of the CSS11800s and 8100MBPS Full Duplex firewalls in between. Or you can go with the higherend CS11000s that sandwich configuration using up to 8 CSS GigE blades anduse five PIX 535 with GigE (535 does GigE throughput). That's a 4 GBfirewall solution with the fifth PIX in there to make sure you havebandwidth in the event of a failure. The CSS switches poll the firewallsand work around them in the event of a failure.


Regards,

Brian

At 02:28 PM 2/27/2001 -0500, John Adams wrote:

Lucent has a paper on firewalling Gigabit Ethernet between multiple
firewalls at
http://www.lucent.com/ins/library/pdf/white_papers/BRICK_WP.pdf

I think they're using the Nokia load balancers (I prefer Cisco, but Cisco
still can't loadbalance GigE)

--john

On Mon, 26 Feb 2001, Brian Ford wrote:

> Ng,
>
>
> > > What about things like the cisco
> > > LocalDirector? Although I'm not quite sure whether that's a reverse
> > > proxy or a tcp load balancer :-].
> >
> >It's a dead product. Cisco now peddles Arrowpoint. ;-)
>
> Buzzzz.  Sorry. Wrong answer.
>
> We still sell LocalDirector (the load balancer) as a Enterprise
> product.  Not everyone needs multi GigE feeds and speeds of the CSS
> switches (darn!).
>
> Regarding
>

> > > AFAIK some of the commercial reverse proxies will performauthentication

> > > on behalf of the webserver.
> and
> >Apart from the (imho fallacious) warm fuzzy feeling that "our real

> >webserver is no longer exposed to direct attack from the Internet", Idon't

> >see value in a reverse proxy
>
> Wouldn't the addition remove some of the load from the server.  I know it
> does from mine.  I use the Cut-through proxy in the PIX to authenticate
> users looking at my server (on the Cisco intranet).
>
> Regards,
>
> Brian
>
> >Date: Mon, 26 Feb 2001 23:11:20 +0800
> >From: Ng Pheng Siong <ngps () post1 com>
> >To: Robert Collins <robert.collins () itdomain com au>
> >Cc: firewall-wizards () nfr net

> >Subject: Re: [fw-wiz] Next Generation Security Architecture - TOMODERATOR

> >- CORRECTED COPY
> >
> >On Thu, Feb 22, 2001 at 08:20:47AM +1100, Robert Collins wrote:
> > > From: "Ng Pheng Siong" <ngps () post1 com>
> > > > Reverse proxies break X.509 cert-based client authentication.
> > >
> > > I don't believe there's any protocol level reason why the reverse proxy
> > > cannot perform the X.509 certificate authentication itself. Certainly
> > > the web server AND the reverse proxy cannot both perform that
> > > authentication.
> >
> >You're right on both counts.
> >
> >

> > > AFAIK some of the commercial reverse proxies will performauthentication

> > > on behalf of the webserver.
> >
> >Then the reverse proxy is really telling the webserver "trust me" when
> >communicating the identity of the client.
> >
> >Apart from the (imho fallacious) warm fuzzy feeling that "our real

> >webserver is no longer exposed to direct attack from the Internet", Idon't

> >see value in a reverse proxy - the reverse proxies I've seen in production
> >simply relay stuff back and forth.
> >
> >
> > > What about things like the cisco
> > > LocalDirector? Although I'm not quite sure whether that's a reverse
> > > proxy or a tcp load balancer :-].
> >
> >It's a dead product. Cisco now peddles Arrowpoint. ;-)
> >
> >--
> >Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards
>

--
J. Adams                                        http://www.retina.net/~jna
You are supposed to be a consumer, a black hole for goods, advertising and
content. They only want to allocate enough upstream bandwidth for
10,000,000 buy buttons. Producing or sharing information is a subversive
act and will not be tolerated. -anonymous coward on /.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Next Generation Security Architecture, (continued)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
  - RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture John Adams (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)