RE: Speeds and feeds

From: Moser, Stefan (stefan.moserat_private)
Date: Fri May 29 1998 - 04:06:45 PDT

Next message: kr= carlier: "Re: Questions on Firewall-1 and Neighborhood Browser"

Previous message: Bennett Todd: "Re: Identifying End of Tx in FTP"
Maybe in reply to: Stout, Bill: "Speeds and feeds"
Next in thread: Rodney van den Oever: "Re: Speeds and feeds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bill,

Looking at the equation from the firewall speed side I would also consider
the Cisco PIX and FireWall-1 running on a Nokia switch.

Looking at the Nokia, it has a couple of cool features like VRRP support
and traffic shaping. So even if you'd still be forced to use multiple feeds
for performance reasons, it might simplify your setup/eliminate the need
for custom scripting etc. They're fairly cheap too. Obviously you kinda
have to like Firewall-1....

Just my $0.02

-Stefan

> -----Original Message-----
> From:	Stout, Bill [SMTP:StoutB@pioneer-standard.com]
> Sent:	Tuesday, May 26, 1998 7:07 PM
> To:	Firewall-wizards
> Subject:	Speeds and feeds
> 
> 
> I'm working with a company currently using a T1 which becomes very
> sluggish when engineers do many FTP and HTTP sessions through a state
> firewall on a Netra-1 (firewall is not a bottleneck).  They're thinking
> of upgrading to a T3 with a fast proxy server (+ VPN) since they also
> are running out of IPs, and internal systems are getting hit by external
> packets.
> 
> My knee-jerk reaction is to use a very fast CPU system (600MHz Alpha)
> and Altavista FW with 100Mbps cards.
>                                              webservers
>                          |
>   Internet--(T3)---R1---FW---+----R2----Internal LAN
>                             VPN
>                          Tunnel Svr
> 
> I'm wondering about alternatives to the situation, one is multiple T1s
> coming into a set of BGP net for redundancy, and to partition FTP/HTTP
> proxies on one server, and remaining traffic on a second server
> (allowing future cluster or fail-over via scripts and IP failover of
> secondaries).  Although this actually may be cheaper, faster and more
> reliable, but it's more complex, and harder for the company to fix if it
> dies (fails into a degraded mode).  Also most local traffic may route
> through a single T1, and they may inadvertantly become an Internet
> eXchange.
> 
>     Internet
>     | | | 
>    (n+1 T1s)
>     | | | 
>   Cisco 2500s
>     | | | 
>   Hub/switch
>     |    |
>  FW-A   FW-B
> 
> FW-A could be used for outbound client system access, and FW-B could be
> used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS,
> etc).  A dual-subnet webfarm could connect to third interface on both.
> Hmm, too complex maybe.
> 
> Opinions?
> 
> Bill Stout

Next message: kr= carlier: "Re: Questions on Firewall-1 and Neighborhood Browser"
Previous message: Bennett Todd: "Re: Identifying End of Tx in FTP"
Maybe in reply to: Stout, Bill: "Speeds and feeds"
Next in thread: Rodney van den Oever: "Re: Speeds and feeds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:09 PDT