[25229] in North American Network Operators' Group
"firewalls" at high speed -- was Re: FW: your mail
daemon@ATHENA.MIT.EDU (Howard C. Berkowitz)
Mon Sep 27 08:34:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <v04011703b41512164443@[168.143.1.215]>
In-Reply-To:
<Pine.SUN.3.91.990927151341.25341K-100000@virgin.relcom.eu.net>
Date: Mon, 27 Sep 1999 08:27:27 -0400
To: nanog@merit.edu
From: "Howard C. Berkowitz" <hcb@clark.net>
Errors-To: owner-nanog-outgoing@merit.edu
Alex Rudnev observed,
>Folks, why all you are saying about the Gigabit traffic for the firewall?
>
>Usially, firewall stand between intranet and internet, and it should
>proceed your upstream traffic, not more... And than, it's important to
>measure the throughput in packets/per_second, not in the gigabits...
>
>Everything other is true - I suggess no one good firewall can proceed
>gigabit traffic at all, and only a few specially designed boxes can
>proceed 100Mbit traffic. But just again - it's a rare case when you does
>have 100Mbit upstream link.
All good points. Something else to consider: with increasing cryptographic
security requirements, the "firewall" (ambiguous term as it is, but let's
think of it as a stateful packet screen -- the major approach at high
speed) is not the only device between you and the outside. It's worth
thinking of:
Bastion hosts -- not trusted with crypto keys
Security gateways -- trusted to do encryption
IPsec gateways
SSL/TLS proxies
Conduits with access lists -- for host-to-host encryption, where
the firewall wouldn't add value
There is also the very murky area where logging and intrusion detection
mix, and whether they can operate at these speeds/
