Re: [fw-wiz] 10Gb Firewalls



Looked into this a couple of years ago for next-gen network
segmentation in the data centre; and I believe the Crossbeam Platform
(x-series) running Checkpoint will give you what you're looking for;
It's a network appliance, which runs various 'applications' e.g.
Checkpoint Firewall, Sourcefire, Imperva, Trend, Websense.

Otherwise, as others have already said -- Cisco has options either the
ASA platforms, or the 6500 with FWSM.

Re: SAN transport -- as others have already mentioned; i'd avoid
trying to transport low-latency traffic like iSCSI through a firewall
infrastructure. I'd be looking to keep this in a dedicated switched
transport network where possible (with Jumbo frame support); and if
it's traversing a WAN then use FCIP rather than iSCSI. It really
depends on your SAN archictecture -- but extending a SAN would mean
creating a larger fabric; whereas its better to connect indepedant
fabrics together using a 'routed' interconnect between the remote
locations (this prevents fabric reconfigurations in one location
impacting the other, or reconfigurations caused by WAN/MAN outage
impacting the local sites) - use something like Cisco's inter-VSAN
routing; or Brocade has a similar approach/solution I believe (using
what used to be called their FAP - fabric application platform).

2008/4/29 Kerry Milestone <km4@xxxxxxxxxxxx>:
Hello kind Wizards,

I am investigating the possibilities of putting a firewall on the end of a
10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this is a
scoping project (though it _has_ to happen due to the nature of projects in
the institute), cost is not the main issue. I've come across the Nortel
Switched Firewall 6000, however this 'only' does 6Gb throughput.

Alternatively, we have several firewalls which work at 1Gb and are
wondering if its a better to chanelize [sic] and put say 10 firewalls each
dealing with different traffic. In coming years, IP based VPN's to other
sites will become more used - and more 10Gb links to site perhaps building
up to a 40Gb WAN backbone. We currently have an IDS which will can handle
this much volume.

The next question, is extending the SAN. If using iSCSI, is it better to
leave this traffic off the firewall and just route it through, say a GRE
tunnel without encryption?

Would be keen to hear any thoughts on the theory of what I want to do.
Implementation is not so difficult, really after some 'best practices'
thoughts.


Many thanks,
Kerry.




--
The Wellcome Trust Sanger Institute is operated by Genome Research Limited,
a charity registered in England with number 1021457 and a company registered
in England with number 2742969, whose registered office is 215 Euston Road,
London, NW1 2BE. _______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
Dominic Fells,
domfells@xxxxxxxxx
+447770654349
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)
  • Re: Turn off all sharing and network discovery
    ... which is basically Windows XP running as a virtual ... It does need its own AV and firewall. ... unnecessary network resource sharing and resource discovery. ...
    (microsoft.public.windowsxp.general)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.win2000.networking)