>I'm working with a company currently using a T1 which becomes very >sluggish when engineers do many FTP and HTTP sessions through a state >firewall on a Netra-1 (firewall is not a bottleneck). They're thinking Then why bother upgrading the firewall? May I suggest an internal caching proxyserver? >of upgrading to a T3 with a fast proxy server (+ VPN) since they also A proxyserver will always be slower that a packet-filter or state full inspection type of firewall. >are running out of IPs, and internal systems are getting hit by external >packets. Configure the firewall for address translation and of course block traffic to internal hosts. >I'm wondering about alternatives to the situation, one is multiple T1s >coming into a set of BGP net for redundancy, and to partition FTP/HTTP >proxies on one server, and remaining traffic on a second server Dual (active) parallel firewalls, twice the effort needed to monitor and secure these hosts. It would compare it to resistors in parallel: total resistance is halved. Cisco's HSRP (can FW-1 deal with that?) for the internal router would be a better redundancy solution. > Internet > | | | > (n+1 T1s) > | | | > Cisco 2500s I don't think a 2500 can't handle a T3 (max. 8Mbps), especially if your also using access-lists. You probably need a 36xx or 72xx for that. > | | | > Hub/switch > | | >FW-A FW-B >FW-A could be used for outbound client system access, and FW-B could be >used for inbound/server protocols (VPN, webserver SQL, NTP, SMTP, DNS, >etc). A dual-subnet webfarm could connect to third interface on both. >Hmm, too complex maybe. -- Rodney van den Oever / 06 55868577 / PGP Key ID 0x0A6CCE53 When asked by an anthropologist what the Indians called America before the white man came, an Indian said simply "ours". - Vine Deloria, Jr.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:11 PDT