High-Availability FW/VPN for Data Centers

["Joe Ippolito" <joe () joesnet com>]

We have successfully deployed a primarily VPN-based WAN connecting 59-sites
in a very large manufacturing company.  The push now is to move
line-of-business applications to three data centers, one in the US, one in
Europe and one in Asia.  The data centers will have multiple T3/E3 circuits
to two major providers.  We wish to change the FW/VPN platform that we
currently use due an occasional NDIS buffer overflow problem that requires a
re-boot.  Hardware for almost all of our firewalls is aging and is due for
refresh.

Some of the requirements are:

Secure Internet firewalls.
High availability - a single hardware failure cannot cause a loss of
connectivity.
High throughput - up to 90 Mbits/sec of IPSec 3DES encryption.
Global management - A single database of network definitions, rulebases, etc
for over 100 firewalls/VPN devices.

Desirable:

Quality of service so that the transfer of very large CAD files to/from data
centers cannot easily slow down time-sensitive ERP interactive sessions.

Products currently being considered:

Firewall-1/VPN-1 CP HA on Linux and Provider-10
Nokia Fw1/VPN1, VRRP and Provider-10
Cisco Pix and CSPM
MS ISA, Win 2K L2TP/IPSec, NLB, MMC

I do not give the fourth option much chance due to low a level of experience
but, pricing makes it an alternative that I would like to keep in the
analysis for reference.

I would like to get your opinions on the options I have described above for
my initial presentation to my management.

Thank you in advance for your valued input.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards