North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical "firewalls" at high speed -- was Re: FW: your mail
Alex Rudnev observed, >Folks, why all you are saying about the Gigabit traffic for the firewall? > >Usially, firewall stand between intranet and internet, and it should >proceed your upstream traffic, not more... And than, it's important to >measure the throughput in packets/per_second, not in the gigabits... > >Everything other is true - I suggess no one good firewall can proceed >gigabit traffic at all, and only a few specially designed boxes can >proceed 100Mbit traffic. But just again - it's a rare case when you does >have 100Mbit upstream link. All good points. Something else to consider: with increasing cryptographic security requirements, the "firewall" (ambiguous term as it is, but let's think of it as a stateful packet screen -- the major approach at high speed) is not the only device between you and the outside. It's worth thinking of: Bastion hosts -- not trusted with crypto keys Security gateways -- trusted to do encryption IPsec gateways SSL/TLS proxies Conduits with access lists -- for host-to-host encryption, where the firewall wouldn't add value There is also the very murky area where logging and intrusion detection mix, and whether they can operate at these speeds/
|