which firewall product?

William Herrin bill at herrin.us
Tue Jul 30 22:39:38 UTC 2013

On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap <ikiris at gmail.com> wrote:
> Well, I guess my first question is: Is this a design you are stuck with for
> some reason or alternately, is there a good reason for it, and I need to be
> educated as to real world design? It seems rather odd to put a firewall
> boundry between a LB and its associated cluster as opposed to in front of
> the LB.


Paperwork. The customer owns 3 servers in a system of a consisting of
a hundred or so. He wants his security people to accredit it. They
won't accredit individual servers, so his options were: duplicate the
full system just for him (very expensive) or create a security
boundary where he can say, "This is my enclave. Accredit my enclave."

Naturally his security people decide that they don't want the
firewalls to be additional servers running Linux. That would make it
far too easy to secure his system. I don't yet know if they'd accept
an appliance running Linux underneath. :/


William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

More information about the NANOG mailing list