Re: [fw-wiz] 10Gb Firewalls

Looked into this a couple of years ago for next-gen network
segmentation in the data centre; and I believe the Crossbeam Platform
(x-series) running Checkpoint will give you what you're looking for;
It's a network appliance, which runs various 'applications' e.g.
Checkpoint Firewall, Sourcefire, Imperva, Trend, Websense.

Otherwise, as others have already said -- Cisco has options either the
ASA platforms, or the 6500 with FWSM.

Re: SAN transport -- as others have already mentioned; i'd avoid
trying to transport low-latency traffic like iSCSI through a firewall
infrastructure. I'd be looking to keep this in a dedicated switched
transport network where possible (with Jumbo frame support); and if
it's traversing a WAN then use FCIP rather than iSCSI. It really
depends on your SAN archictecture -- but extending a SAN would mean
creating a larger fabric; whereas its better to connect indepedant
fabrics together using a 'routed' interconnect between the remote
locations (this prevents fabric reconfigurations in one location
impacting the other, or reconfigurations caused by WAN/MAN outage
impacting the local sites) - use something like Cisco's inter-VSAN
routing; or Brocade has a similar approach/solution I believe (using
what used to be called their FAP - fabric application platform).

2008/4/29 Kerry Milestone <km4@xxxxxxxxxxxx>:
Hello kind Wizards,

I am investigating the possibilities of putting a firewall on the end of a
10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this is a
scoping project (though it _has_ to happen due to the nature of projects in
the institute), cost is not the main issue. I've come across the Nortel
Switched Firewall 6000, however this 'only' does 6Gb throughput.

Alternatively, we have several firewalls which work at 1Gb and are
wondering if its a better to chanelize [sic] and put say 10 firewalls each
dealing with different traffic. In coming years, IP based VPN's to other
sites will become more used - and more 10Gb links to site perhaps building
up to a 40Gb WAN backbone. We currently have an IDS which will can handle
this much volume.

The next question, is extending the SAN. If using iSCSI, is it better to
leave this traffic off the firewall and just route it through, say a GRE
tunnel without encryption?

Would be keen to hear any thoughts on the theory of what I want to do.
Implementation is not so difficult, really after some 'best practices'

Many thanks,

The Wellcome Trust Sanger Institute is operated by Genome Research Limited,
a charity registered in England with number 1021457 and a company registered
in England with number 2742969, whose registered office is 215 Euston Road,
London, NW1 2BE. _______________________________________________
firewall-wizards mailing list

Dominic Fells,
firewall-wizards mailing list