> Leland -- I scanned your site and Watchguard's. Both look very interesting
> and relevant to my needs.
>
> We are in the early design phases of a super secure, rather high volume
> (perhaps 1M hits/8 hr day) environment.
>
> The transactions are quite simple. An incoming HTTPS query of about 150
> bytes. The response from the secure service is also about 150 bytes long.
> The HTTPS query will be handled by a farm of NT servers running IIS. We are
> using ISAPI DLL's (which run under IIS) to handle the HTTPS request.
>
> This is the ONLY type of traffic which will traverse the firewall. There
> will be no need for PC's inside this secure network to browse or access the
> Internet. The network will be ENTIRELY dedicated to these secure
> transactions.
On a "here's an alternative just for the hell of it basis":
Outside World
|
Packet Filtering Firewall (443 only)
|
SSL Layer proxy }
| } These could actually be one unit, but I don't know of
Caching proxy } any that will do both jobs
|
--------------------------------
| | | | | |
HTTP server farm
Benefits:
- Multiple security layers. Packet filtering, then application-level
firewalling via the proxies (Allowing you to block potential hacks
before they even get to your servers) then the servers themselves. In
the case of a recently publicised IIS problem which could be accessed
via a specific set of urls, such a setup allows you to simply block,
log, and move on within moments of knowing about it. A suitable set of
access rules for your site could well mean that you block future hacks
before they've even been discovered.
- Higher performance levels. The caching proxy below the SSL link means
that your web servers will not have to serve up images or static
content, you get a rapid in-memory response (known as an
http-accelerator)
Costs:
- More potential points of failure. Failover on the proxy box is necessary.
- SSL can be fairly CPU intensive, SSL proxy must be fast and solid.
- A bit more work to set up :)
Note that in your case, you specified a small request and reply, so this
structure may not apply particularly well (Maybe you're not serving any
static content :) Also note that 1mil hits in 8hrs should be servable in
HTTP by no more than 3 decent boxes. You may want one more for failure
tolerence. I have yet to evaluate the cost of HTTPS on a connection.
Richard.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]