On Tue, 23 Mar 1999 [EMAIL PROTECTED] wrote:
> - The firewall will be protecting an externally hosted web service we're
> developing. High security and high reliability are essential.
If you're allowing public traffic to the servers you'd probably be better
off with packet filters on your routers and spending your money on
host-based security systems including content change detection systems.
> - The traffic passing through the firewall will be 95% inbound SSL3
> encrypted web traffic. The remainder would be outbound DNS queries and
> SMTP traffic, and a small amount of inbound management traffic (VPN or
> SSH).
With the right OS, you can do an additional layer of protection by
using something like IPFilter and stateful stuff for DNS.
> - The system must be able to accommodate T3 levels of traffic (45Mbps).
> - The system must have redundancy/failover capabilities.
This is really better done by colo/DNS than by hosts if you want real
scale and redundancy. Of course that doesn't give transactional failover,
but I'm not sure there's a good way to do that with SSL v3 anyway. (other
than very expensive clustering solutions with share memory that tend to
have single points of failure.
> - The system should provide good logging & auditing capabilities.
Your problem at those traffic levels will be (a) logging all traffic, and
(b) analyzing those logs. More smaller boxes solve for (a) - solving for
(b) is more difficult if you do extensive traffic logging.
> Before the bandwidth requirements had come into play, we had narrowed down
> the choices to Gauntlet or Firewall-1 running on 2 Sun 250 servers. There
> is some concern, however, as to whether this would be able to handle the
> bandwidth requirements.
I think you'd be spending a great deal of money on software that mostly
won't gain you much over properly configured servers. If all you allow is
the specific services you need to run, you'll find the biggest point of
vulnerabilty to be encrypted HTTP traffic, which you'll have to let
through anyway. A firewall won't do much for VPN traffic that a host
can't, same with SSL. Mail probably isn't your most significant risk
especially if it's outbound only.
> The alternatives are looking at other firewall solutions that have higher
> (perceived) performance such as PIX or ANS, or possibly using a load
> balancing system in front of the firewalls. One vendor has also suggested
> using a Sun cluster solution.
That's a lot of eggs in a single physical basket - depending on your
redundancy requirements you may want to look more closely at
colocation/physical distribution.
[snip]
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
