[hardware] gigabit firewall

From: Carsten Otto (c-otto_at_gmx.de)
Date: 06/25/04 

Date: 25 Jun 2004 21:20:46 GMT

Hello!

I need some help finding the right hardware for a gigabit firewall.

Here is the most important information:

- about 250 users (each 100 MBit)
- mixed 100/1000 MBit backbone (local network)
- 1000 MBit Internet/university network <-> 1000 MBit internal network
- network use is typical "home use" (surfing, mail, chat, file sharing),
  although a few large transfers may occur and some servers are running
  in the local network (including game servers)
- firewall should do accounting (IP-based)
- only few firewall rules (blocking some ports)

I just measured the current packets/sec and packet sizes (11pm here) on
the 100 MBit firewall. If you need more data, I can test again at other
times.

- about 1600 - 1800 packets/sec (900 incoming, 700 outgoing)
- packet sizes (meassured over about 10 minutes):

Packet Size (bytes) Count Packet Size (bytes) Count
     1 to 75: 407926 751 to 825: 4110
     76 to 150: 525765 826 to 900: 2553
    151 to 225: 75152 901 to 975: 8226
    226 to 300: 83945 976 to 1050: 5214
    301 to 375: 58937 1051 to 1125: 6429
    376 to 450: 27464 1126 to 1200: 1353
    451 to 525: 8909 1201 to 1275: 3449
    526 to 600: 6935 1276 to 1350: 55322
    601 to 675: 5246 1351 to 1425: 8184
    676 to 750: 4799 1426 to 1500+: 362829
                                 
At the moment we think of one of the following solutions:

1) self built

- 1x P4 2.8 (Prescott, 1 MB cache, 800 MHz bus)
- Asus PSCH-SR
- 2x 256 MB PC3200
- 80GB 7200rpm S-ATA
- Intel SCA (Copper) + Intel 1000XF (PCI-X, Fiber)

2) Sun Fire v60x

- 1x Xeon 2.8 (512 KB cache) [upgradeable to 2x Xeon]
- 2x 512 MB PC2100
- 36 GB 10000rpm SCSI
- 2x Intel PCI-X (on seperate busses?) + converter copper <-> fiber

Solution 2 is more expensive, but has some advantages (Sun, Xeon, 1HE).
We plan to use a recent Linux 2.6 kernel.

Please tell me what kind of hardware is needed for this specific network
situation. I'd also like to hear some opinions regarding the two server
solutions. Because we are a dormitory, money is of concern.

Thanks a lot, 

-- 
Carsten Otto
c-otto@gmx.de
www.c-otto.de

Relevant Pages

  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)