"firewalls" at high speed -- was Re: FW: your mail
Howard C. Berkowitz
hcb at clark.net
Mon Sep 27 12:27:27 UTC 1999
Alex Rudnev observed,
>Folks, why all you are saying about the Gigabit traffic for the firewall?
>
>Usially, firewall stand between intranet and internet, and it should
>proceed your upstream traffic, not more... And than, it's important to
>measure the throughput in packets/per_second, not in the gigabits...
>
>Everything other is true - I suggess no one good firewall can proceed
>gigabit traffic at all, and only a few specially designed boxes can
>proceed 100Mbit traffic. But just again - it's a rare case when you does
>have 100Mbit upstream link.
All good points. Something else to consider: with increasing cryptographic
security requirements, the "firewall" (ambiguous term as it is, but let's
think of it as a stateful packet screen -- the major approach at high
speed) is not the only device between you and the outside. It's worth
thinking of:
Bastion hosts -- not trusted with crypto keys
Security gateways -- trusted to do encryption
IPsec gateways
SSL/TLS proxies
Conduits with access lists -- for host-to-host encryption, where
the firewall wouldn't add value
There is also the very murky area where logging and intrusion detection
mix, and whether they can operate at these speeds/
More information about the NANOG
mailing list