Re: [fw-wiz] 10Gb Firewalls



Just my $AU0.02 worth.

Netscreen 5200/5400 are 10Gb/30Gb "capable" respectivly.

http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/netscreen_5200_slash_netscreen_5400/

Not sure how you would get "wire speed" on them though as 10Gb is only
on fibre ;-)

M@

2008/4/30 Fetch, Brandon <bfetch@xxxxxxx>:
Apart from the recommendations you've seen suggested, perhaps your
desire for the 10Gb firewall could be better addressed with a
re-thinking of your design/architecture?

You mention iSCSI traffic - passing that type of latency-sensitive
traffic through a firewall would be a serious negative in my opinion.
I'd bet $2 (or a single quid to you :) ) any iSCSI vendor would have
fits troubleshooting an issue if you told them it was passing through a
firewall.

I guess that's where I'm pointing you is to reevaluate what/where you
need to define access rules and determine whether you'd be better suited
to using something other than a L3/4 device to segment/isolate traffic
or access.

If you're looking at running a consolidated SAN between a number of
"limited" systems you've merely shifted your risk from IP/network to
disk/SAN. Who's to say you couldn't get someone trying to elevate their
level of access via the fiber-channel medium versus breaking through the
Ethernet layer?

Anyway - I think instead of trying to find the biggest hammer to strike
all your little nails at one time, you might want to consider putting
them into different boards in your house.

HTH,
Brandon


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Kerry Milestone
Sent: Tuesday, April 29, 2008 4:36 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] 10Gb Firewalls



Hello kind Wizards,

I am investigating the possibilities of putting a firewall on the end of

a 10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this

is a scoping project (though it _has_ to happen due to the nature of
projects in the institute), cost is not the main issue. I've come
across the Nortel Switched Firewall 6000, however this 'only' does 6Gb
throughput.

Alternatively, we have several firewalls which work at 1Gb and are
wondering if its a better to chanelize [sic] and put say 10 firewalls
each dealing with different traffic. In coming years, IP based VPN's to

other sites will become more used - and more 10Gb links to site perhaps
building up to a 40Gb WAN backbone. We currently have an IDS which will

can handle this much volume.

The next question, is extending the SAN. If using iSCSI, is it better
to leave this traffic off the firewall and just route it through, say a
GRE tunnel without encryption?

Would be keen to hear any thoughts on the theory of what I want to do.
Implementation is not so difficult, really after some 'best practices'
thoughts.


Many thanks,
Kerry.




--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
"Some things are eternal by nature,
others by consequence"
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Want to do something dodgy on the internet? Use a government PC.
    ... "The Cabinet Office has admitted that, due to the nature of its computer ... network, it would be almost impossible to track down who is responsible ... sites) has no problem identifying individual usage, ... blocked by the firewall, and very possibly certain other sites which ...
    (uk.legal)
  • [fw-wiz] Inline 2 port POE Firewall
    ... Two ports, one in and one out - running ... This is to protect single devices, which for whatever reason can't run their own firewall, are 'odd' operating systems, ... The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] 10Gb Firewalls
    ... I am investigating the possibilities of putting a firewall on the end of ... is a scoping project (though it _has_ to happen due to the nature of ... The Wellcome Trust Sanger Institute is operated by Genome Research ... company registered in England with number 2742969, ...
    (Firewall-Wizards)
  • Re: [fw-wiz] 10Gb Firewalls
    ... I am investigating the possibilities of putting a firewall on the end of ... is a scoping project (though it _has_ to happen due to the nature of ... The Wellcome Trust Sanger Institute is operated by Genome Research ... company registered in England with number 2742969, ...
    (Firewall-Wizards)
  • [fw-wiz] NetScreen Logging with NSRP
    ... passive/active firewall setup with NSRP. ... The Wellcome Trust Sanger Institute is operated by Genome Research ... company registered in England with number 2742969, ...
    (Firewall-Wizards)