I have some "your mileage may differ" experience: I had two clients
doing fairly light filtering who used Firewall-1 to filter a busy
100mbit full duplex link. The links carried a mix www oriented traffic
with multiple web servers on the inside, a tendency toward smaller
(<1024 byte) traffic. Neither of the clients were doing significant
outbound filtering, had light logging, both had https, http, ssl, ftp,
etc. traffic. Both relied on front-end router-based filtering. Oh, the
second client positioned the firewall between their DMZ and their
internal subnet, the first was filtering ALL traffic inbound off of
multiple OC-12's as well as fiber point-to-point's.
The firewall on which FW-1 was running was not able to handle the
traffic, causing delays and some unknown level of timeouts. The
processor was a single-processor (260Mhz or so processor) Ultra-2.
Adding a second processor had no significant effect. FYI, the hme's WERE
operating at 100mbit. Given problems I observed at another client with
HME/switch autonegotiation, I don't know whether the HME's were REALLY
running at full duplex.
The system was upgraded to the fastest processor(s) from Sun (350's or
400's, I don't recall) and Firewall-1 worked fine. That clarified that
it was a processor rather than a bus or HME problem at 100mb
full-duplex.
Given that you are looking at somewhere between 50% and 25% of the
traffic (OC-3 vs. 100mbit full duplex direct to a switch aka "200mbit"),
the issue becomes the speed of the processor(s), the extent of logging,
what you filter, whether you are filtering outbound, etc. I guess the
short answer is that a dual-HME, dual-450, U-2 can handle 4 times the
traffic you expect with moderate filtering. This may seem obvious, but
there are so many variables that you will need to do some in-system
testing to verify.
If you now or EVER want to do multicasting, scratch PIX off your list.
Do NOT believe anything Cisco says until YOU evaluate a PRODUCTION
version of PIX that IS actually capable of handling multicast (don't
hold your breath).
[EMAIL PROTECTED] wrote:
>
> I've been having trouble finding reliable information about scalable,
> high-availability firewalls and was hoping some people here may be able
> to give me some direction.
>
> First, some base requirements:
>
> - The firewall will be protecting an externally hosted web service we're
> developing. High security and high reliability are essential.
> - The traffic passing through the firewall will be 95% inbound SSL3
> encrypted web traffic. The remainder would be outbound DNS queries and
> SMTP traffic, and a small amount of inbound management traffic (VPN or
> SSH).
> - The system must be able to accommodate T3 levels of traffic (45Mbps).
> - The system must have redundancy/failover capabilities.
> - The system should provide good logging & auditing capabilities.
>
> Before the bandwidth requirements had come into play, we had narrowed down
> the choices to Gauntlet or Firewall-1 running on 2 Sun 250 servers. There
> is some concern, however, as to whether this would be able to handle the
> bandwidth requirements.
>
> The alternatives are looking at other firewall solutions that have higher
> (perceived) performance such as PIX or ANS, or possibly using a load
> balancing system in front of the firewalls. One vendor has also suggested
> using a Sun cluster solution.
>
> I'm a little leary of all of these options since I'm not as knowledgeable
> about the other firewall products and the other options increase the
> complexity of the system. I was also hoping to be able to standardize on
> one firewall product, since we'll also need a firewall (supporting much
> more more general purpose traffic) in front of our business network.
>
> Has anyone had experience running a similar configuration that can give
> some pointers as to what the best options are? Or are there better
> options that we're overlooking?
>
> Thanks very much in advance.
>
> Scott Miles
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
(USA) 510-524-0310
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
