RE: Info Request: Looking for alternatives in HA/Load balancing firewalls ...

["Keith A. Glass" <salgak () speakeasy net>]

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Peter J.
Cherny
Sent: Thursday, April 13, 2006 9:39 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Info Request: Looking for alternatives in HA/Load
balancing firewalls ...

> At 04:24 AM 5/4/06, Keith A. Glass wrote:
> > We're currently spec'ing functional requirements for a new web-based 
> > implementation of a number of enterprise apps.  One obvious problem is
> > ...

> I'm wondering, if it's a "new web-based implementation",
> why you need a L3 firewall ?

> I'd have thought a simple stateless filter rule that allows
> web access, but denies the rest, would suffice.
> The state kept by the SLB fixes returned packets by only
> NATing valid session traffic.

Because it's not JUST web, but that's the way the project was sold.  

It's a web portal front-end for a number of disparate apps, plus some
high-volume (huge attachments) email plus possibly some FTP (I know, I know.
. .) and a few other minor things. . .

> My contrary view is that the firewalls don't belong out-front,
> but should live deeper in a layered architecture ...
> ... defense-in-depth means multiple choke points,
> not just a single perimeter barrier.

We're currently envisioning it as a DMZ with firewalls on both sides, and,
of course, DIFFERENT firewalls on different hardware/software platforms. . .
. 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 4/22/2006
 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards