Firewall Wizards mailing list archives
RE: Consine FW
From: Nimesh Vakharia <nvakhari () clio rad sunysb edu>
Date: Tue, 13 Nov 2001 15:31:53 -0500 (EST)
me. Has anyone tested a high end firewall, proxy or stateful, on a 2ghz quad processor servers decked out with memory? It may give gigabit throughput performance for all we know at this point. I don't dispute
One of our customers did try out a quad proc (440Mhz, i think) at 1 Gb RAM on a Sun E450(2Gig Nic) with Checkpoint. I think they barely got around 60-80Mbps of thput out of the 1G. The packets were pure UDP traffic (200 streams) and fw was configured with 20 FW rules. In checkpoints defense, the admins were not very big on solaris and the optimizations were a few things recommended on phoneboy.com. It'd be interesting if see if people have had other experiences.
As for the data mining and trend analysis, you grab that from the proxy firewall as opposed to the server, ala Webtrend firewall products
Yes that would work but it'd get interestingly complex as u'd have one LB farm/high end device shared across various customers. Nimesh.
Sincerely, Perry J. Lucas -----Original Message----- From: Nimesh Vakharia [mailto:nvakhari () clio rad sunysb edu] Sent: Monday, November 12, 2001 5:11 PM To: Lucas, Perry Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com; David Lang Subject: RE: [fw-wiz] Consine FW Lucas, If one considers the price performance of high end firewalls, which is what the market seems to be moving to now a days. Consider the port density, price etc... u'd want to have multi gigabit capabilities especially when it is in a shared hosting/inter-enterprise environment. Although high end proxy's are secure (a squid cluster) and do content inspection, the speed seems to be a distant dream and besides proxy in a hosting environment is a major no no. The thought of losing out on client info for site trends analysis or data mining is pretty much unacceptable. I guess the ideal solution would be to see Layer 7 analysis in a stateful firewall at high speeds. Nimesh. On Mon, 12 Nov 2001, Lucas, Perry wrote:Just to contribute a little bit off the list. In the past, proxy firewalls were deemed to be more secure than stateful inspection firewalls. I don't know how well that still holds true today, as I personally haven't kept up on the debates, but the logic being that it is the proxy establishing the connections. Just to break it out in a rough sense, stateful inspection you get a pc-to-pc connection withthefirewall making some alterations to the packets for NAT or blocking ports as necessary. With proxy firewalls, the PC makes a connectiontothe proxy, and then proxy makes the request out to the server. So you get a pc-to-proxy-to-pc connection. The trade-off, as has been mentioned, is a slight degradation in performance. You'll get different answers depending on which zealot you talk to astowhich is better. My personal preference is towards statefulinspectionfirewalls such as PIX, Checkpoint, and Netscreen as they adapt to new technology easier and usually fairly transparent in operation to the users. -----Original Message----- From: David Lang [mailto:david.lang () digitalinsight com] Sent: Friday, November 09, 2001 3:56 AM To: Nimesh Vakharia Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com Subject: Re: [fw-wiz] Consine FW although as fast as computers are today the speed you can get from proxies may very well be sufficiant, in most cases a fairly beefy box willmakeit so that your communications lines are your bottleneck, not thefirewall(obviously does not apply to gig ethernet, but definantly does applyupto multiple DS-3's) David Lang On Thu, 8 Nov 2001, Nimesh Vakharia wrote:Date: Thu, 8 Nov 2001 11:44:37 -0500 (EST) From: Nimesh Vakharia <nvakhari () clio rad sunysb edu> To: Bill_Royds () pch gc ca Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Consine FW agreed, the proxy's inherent behaviour to establish the connectionitselfis why it does not require it to be stateful which is why it castesadoubt on performance capabilities at high speeds and is less thanidealfor a hosting environment. On Thu, 8 Nov 2001 Bill_Royds () pch gc ca wrote:An Application proxy firewall does not need stateful inspection.Statefulinspection is a method for packet filtering firewalls to carryinformationabout TCP and UDP conversations to ensure that they areconsistent.Anapplication proxy does this inherently so it does not need a statetablefor the conversation. Bill Royds Nimesh Vakharia <nvakhari () clio rad sunysb edu> 11/07/01 04:08 PM To: firewall-wizards () nfr com cc: Subject: [fw-wiz] Cosine FW Hello, We are looking at a bunch of highend firewall and VPN options andconsineseems to be an interesting one. But someone told me that currently consine does not have a stateful firewall? Is that true. I wastoldtheycan support packet filtering and applcation proxy only...
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Consine FW Bill_Royds (Nov 09)
- Re: Consine FW Nimesh Vakharia (Nov 09)
- Re: Consine FW David Lang (Nov 09)
- <Possible follow-ups>
- RE: Consine FW Nimesh Vakharia (Nov 13)
- Re: Consine FW t (Nov 14)
- RE: Consine FW Lucas, Perry (Nov 14)
- RE: Consine FW David Lang (Nov 14)
- RE: Consine FW Nimesh Vakharia (Nov 14)
- Re: Consine FW Volker Tanger (Nov 14)
- Re: Consine FW Nimesh Vakharia (Nov 15)
- Re: Consine FW Stephane Nasdrovisky (Nov 15)
- Re: Consine FW Nimesh Vakharia (Nov 09)
- RE: Consine FW Pieper, Rodney (Nov 14)