"firewalls" at high speed -- was Re: FW: your mail

["Howard C. Berkowitz" <hcb () clark net>]

Alex Rudnev observed,

> Folks, why all you are saying about the Gigabit traffic for the firewall?
>
> Usially, firewall stand between intranet and internet, and it should
> proceed your upstream traffic, not more... And than, it's important to
> measure the throughput in packets/per_second, not in the gigabits...
>
> Everything other is true - I suggess no one good firewall can proceed
> gigabit traffic at all, and only a few specially designed boxes can
> proceed 100Mbit traffic. But just again - it's a rare case when you does
> have 100Mbit upstream link.



All good points. Something else to consider:  with increasing cryptographic
security requirements, the "firewall" (ambiguous term as it is, but let's
think of it as a stateful packet screen -- the major approach at high
speed) is not the only device between you and the outside.  It's worth
thinking of:

   Bastion hosts -- not trusted with crypto keys
   Security gateways -- trusted to do encryption
     IPsec gateways
     SSL/TLS proxies
   Conduits with access lists -- for host-to-host encryption, where
                                 the firewall wouldn't add value

There is also the very murky area where logging and intrusion detection
mix, and whether they can operate at these speeds/