You may want to look at http://www.alteon-networks.com/ for the ACEdirector2
server load balancing switch. If you configure your web servers' IP addresses
as Virtual IPs in the switch, then your real servers can have RFC1918
addresses, and be totally unknown to the public Internet, except for the ports
you specify in the load-balancing VIP setup. It can also perform transparent
redirection of TCP/UDP ports to some other IP address/port. It has packet
filters, but you need the most recent code to get the new filter flag for
established connections. But packet filters are not needed if your servers
live on RFC1918 addresses.
In addition, you can hook up two of them in a fully redundant mesh, and the
standby unit will takeover if the primary fails. It also features distributed
load balancing between geographically separated data centers.
They also have some very high end Gigabit switches with most of the same
features. The ACEdirector2 is very fast and very reliable - and it's their
entry level product. I will be looking at their Gigabit switches sometimedown
the road. Very happy with the ACE2.
Using a device like this (and there are several others, see
http://www.foundrynet.com, http://www.arrowpoint.com, http://www.bigip.com/
for some others I reviewed) in front of your production web servers, you can
then deploy a more modest, but more flexible, general purpose firewall in
front of your business network.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> Sent: Tuesday, March 23, 1999 12:06 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: High performance/scalable firewalls
>
>
>
> I've been having trouble finding reliable information about scalable,
> high-availability firewalls and was hoping some people here may be able
> to give me some direction.
>
> First, some base requirements:
>
> - The firewall will be protecting an externally hosted web service we're
> developing. High security and high reliability are essential.
> - The traffic passing through the firewall will be 95% inbound SSL3
> encrypted web traffic. The remainder would be outbound DNS queries and
> SMTP traffic, and a small amount of inbound management traffic (VPN or
> SSH).
> - The system must be able to accommodate T3 levels of traffic (45Mbps).
> - The system must have redundancy/failover capabilities.
> - The system should provide good logging & auditing capabilities.
>
> Before the bandwidth requirements had come into play, we had narrowed down
> the choices to Gauntlet or Firewall-1 running on 2 Sun 250 servers. There
> is some concern, however, as to whether this would be able to handle the
> bandwidth requirements.
>
> The alternatives are looking at other firewall solutions that have higher
> (perceived) performance such as PIX or ANS, or possibly using a load
> balancing system in front of the firewalls. One vendor has also suggested
> using a Sun cluster solution.
>
> I'm a little leary of all of these options since I'm not as knowledgeable
> about the other firewall products and the other options increase the
> complexity of the system. I was also hoping to be able to standardize on
> one firewall product, since we'll also need a firewall (supporting much
> more more general purpose traffic) in front of our business network.
>
> Has anyone had experience running a similar configuration that can give
> some pointers as to what the best options are? Or are there better
> options that we're overlooking?
>
> Thanks very much in advance.
>
> Scott Miles
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
