North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

"firewalls" at high speed -- was Re: FW: your mail

  • From: Howard C. Berkowitz
  • Date: Mon Sep 27 08:35:37 1999

Alex Rudnev observed,

>Folks, why all you are saying about the Gigabit traffic for the firewall?
>Usially, firewall stand between intranet and internet, and it should
>proceed your upstream traffic, not more... And than, it's important to
>measure the throughput in packets/per_second, not in the gigabits...
>Everything other is true - I suggess no one good firewall can proceed
>gigabit traffic at all, and only a few specially designed boxes can
>proceed 100Mbit traffic. But just again - it's a rare case when you does
>have 100Mbit upstream link.

All good points. Something else to consider:  with increasing cryptographic
security requirements, the "firewall" (ambiguous term as it is, but let's
think of it as a stateful packet screen -- the major approach at high
speed) is not the only device between you and the outside.  It's worth
thinking of:

   Bastion hosts -- not trusted with crypto keys
   Security gateways -- trusted to do encryption
     IPsec gateways
     SSL/TLS proxies
   Conduits with access lists -- for host-to-host encryption, where
                                 the firewall wouldn't add value

There is also the very murky area where logging and intrusion detection
mix, and whether they can operate at these speeds/