Hi,
Why dont you consult compaq (earlier Digital services) for this perticular
model and requirement.They have a separate division called CSS (computer
special systems).They build ,test (you can test and give your requirements
and specifications) and integrate complete systems for you (High end alpha
processors with digital Unix are really good systems,but they are marketed
badly (This is the branded qualification for Digital)
I hope this helps.
cheers
prashanth
> -----Original Message-----
> From: Daemeon Reiydelle [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, March 24, 1999 8:06 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: High performance/scalable firewalls
>
> I have some "your mileage may differ" experience: I had two clients
> doing fairly light filtering who used Firewall-1 to filter a busy
> 100mbit full duplex link. The links carried a mix www oriented traffic
> with multiple web servers on the inside, a tendency toward smaller
> (<1024 byte) traffic. Neither of the clients were doing significant
> outbound filtering, had light logging, both had https, http, ssl, ftp,
> etc. traffic. Both relied on front-end router-based filtering. Oh, the
> second client positioned the firewall between their DMZ and their
> internal subnet, the first was filtering ALL traffic inbound off of
> multiple OC-12's as well as fiber point-to-point's.
>
> The firewall on which FW-1 was running was not able to handle the
> traffic, causing delays and some unknown level of timeouts. The
> processor was a single-processor (260Mhz or so processor) Ultra-2.
> Adding a second processor had no significant effect. FYI, the hme's WERE
> operating at 100mbit. Given problems I observed at another client with
> HME/switch autonegotiation, I don't know whether the HME's were REALLY
> running at full duplex.
>
> The system was upgraded to the fastest processor(s) from Sun (350's or
> 400's, I don't recall) and Firewall-1 worked fine. That clarified that
> it was a processor rather than a bus or HME problem at 100mb
> full-duplex.
>
> Given that you are looking at somewhere between 50% and 25% of the
> traffic (OC-3 vs. 100mbit full duplex direct to a switch aka "200mbit"),
> the issue becomes the speed of the processor(s), the extent of logging,
> what you filter, whether you are filtering outbound, etc. I guess the
> short answer is that a dual-HME, dual-450, U-2 can handle 4 times the
> traffic you expect with moderate filtering. This may seem obvious, but
> there are so many variables that you will need to do some in-system
> testing to verify.
>
> If you now or EVER want to do multicasting, scratch PIX off your list.
> Do NOT believe anything Cisco says until YOU evaluate a PRODUCTION
> version of PIX that IS actually capable of handling multicast (don't
> hold your breath).
>
>
> [EMAIL PROTECTED] wrote:
> >
> > I've been having trouble finding reliable information about scalable,
> > high-availability firewalls and was hoping some people here may be able
> > to give me some direction.
> >
> > First, some base requirements:
> >
> > - The firewall will be protecting an externally hosted web service we're
> > developing. High security and high reliability are essential.
> > - The traffic passing through the firewall will be 95% inbound SSL3
> > encrypted web traffic. The remainder would be outbound DNS queries
> and
> > SMTP traffic, and a small amount of inbound management traffic (VPN or
> > SSH).
> > - The system must be able to accommodate T3 levels of traffic (45Mbps).
> > - The system must have redundancy/failover capabilities.
> > - The system should provide good logging & auditing capabilities.
> >
> > Before the bandwidth requirements had come into play, we had narrowed
> down
> > the choices to Gauntlet or Firewall-1 running on 2 Sun 250 servers.
> There
> > is some concern, however, as to whether this would be able to handle the
> > bandwidth requirements.
> >
> > The alternatives are looking at other firewall solutions that have
> higher
> > (perceived) performance such as PIX or ANS, or possibly using a load
> > balancing system in front of the firewalls. One vendor has also
> suggested
> > using a Sun cluster solution.
> >
> > I'm a little leary of all of these options since I'm not as
> knowledgeable
> > about the other firewall products and the other options increase the
> > complexity of the system. I was also hoping to be able to standardize
> on
> > one firewall product, since we'll also need a firewall (supporting much
> > more more general purpose traffic) in front of our business network.
> >
> > Has anyone had experience running a similar configuration that can give
> > some pointers as to what the best options are? Or are there better
> > options that we're overlooking?
> >
> > Thanks very much in advance.
> >
> > Scott Miles
> > [EMAIL PROTECTED]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> Daemeon Reiydelle
> Systems Engineer, Anthropomorphics Inc.
> [EMAIL PROTECTED]
> (USA) 510-524-0310
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
