2000-02-28-13:51:09 Kevin Johnston:
> Does anyone have experience with firewalls that support Gigabit?
> I need a firewall that will support up to 4 network segments, with
> at least 1 gigabit segment.
What kind of policy to you need to enforce on this firewall?
If all you need is some very trivial packet filtering ---
ingress/egress filtering for a single, small static-routed net,
IP directed broadcast filtering for same, perhaps straight static
packet filtering on port numbers, blocking RFC 1918 net traffic,
and so forth --- then I'd like to hope that there might be a really
high-end router that could do the job, and I'd probably go to Cisco
for it. And expect it to cost more than an exotic sportscar, though
possibly less than a large mansion right by a yacht club.
If the firewall needs to authenticate connections, filter content
through sophisticated proxies, etc. then I'd avoid trying to fit
it into a single box. Ideally I'd move the hard parts of the
firewall functionality downstream towards lower-bandwidth choke
points, and if that were impossible then I'd see if anybody makes
a LAN load-balancer that can pump as much traffic as you need
(I'd probably ask that question of Foundry), and failing that try
a mixture of DNS load balancing with assymetric load-splitting
techniques (use different addresses, with different hostnames, for
http proxy, MX server inbound, outbound SMTP, etc.).
The less you have to do at a Gbps the happier you'll be. If you
can keep the hard jobs down well under 100Mbps you can see _much_
better price/performance implementations. To paraphrase Seymore
Cray, whenever possible try and use 1024 chickens rather than a
harness of oxen.
-Bennett
PGP signature
