Grich Ond�ej wrote:
>
> I know this is stupid question, but i should try it. :)
Not at all! Stupid questions are the one's not asked. ;)
> Situation: High volume internet site. DMZ will host WWW servers, webhosting
> servers, SMTP servers, DNS servers. The DMZ has to be hidden by PACKET
> FILTER. No NAT or proxy functionality is needed (the reason is performance
> issue). My question is what are the best perfomers on PACKET FILTER MARKETS?
Couple of questions:
1) Are the hosts hardened?
2) Patched?
3) Will someone be religiously maintaining the patches?
4) Are you sure?
5) Are you _really_ sure? ;)
I ask the above as it will play a big part in determining which
technology you use. If the hosts will be watched closely, you can
probably get away with static packet filters (say on a Cisco router). If
you are not 100% certain the hosts will be maintained, go with a
stateful filter. Your best bet in this arena is probably a Nokia box
running FW-1. Its the fastest stateful filter I've seen.
> I'm interested in proven data.
Check out Checkpoint's Web site. I'm sure they have metrics on the
Nokia. I know they did a recent study which included FW-1 on Linux and
Nokia still won out, but I'm not sure if they publicized the findings or
not.
> I thought about load balancing switches with
> security functionality (like BigIP from f5networks, or ArrowPoint products),
> but its these are not proven (from security point of view).
Also, keeping it simple is a good thing. F5? Humm, seem to remember some
interesting stuff in the archive about them. ;)
> Is anybody aware of maximum network throughput which can be handled by
> PACKET FILTER (in general)?
This will vary with vendor & platform but in general, static will give
you better performance than stateful. Which to choose depends on your
environment.
> I'm sure some of you had faced the same situation. What are the solutions,
> concepts you used?
Yup, hardened hosts with static filters. Network based IDS to watch over
the chicken coop. ;)
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
