High Performance Firewall solution?

["Aaron D. Turner" <aturner () vicinity com>]

My company is looking for a high performance firewall solution for our web
servers (everything is over port 80).  By high performance it needs to be
able to deal with 1,900Kbit/sec incomming and 9,000Kbit/sec outgoing
(sustained) and be able to scale effectively (we're growing at about
5-10%/month).

This from what I hear isn't very feaseable- the reqirements to the the
necessary filtering, authentication, etc would overload even a sizeable
server.  Obviously we don't want to spend 70K for an fully loaded Sun E450
to run our firewall either!

So currently we're looking at what I'll dub a "side firewall
configuration".  Bascially the network looks like this:

              |                  |
              |--RND WSD Fe/Pro--|--Web Server Farm
Internet -----|                  | running Solaris
(100Mbps)     |                  |
              |--Firewall--------|
              |                  |
              |                  |
         Public VLAN         Private VLAN (192.168.xxx.xxx)

For those of you not familar with the WSD, it's a load distributing unit
simular to Cisco's Local Director, but also very different.  At the core
of the WSD is a router/switch- it routes the first packet and acts as a
switch for the rest, hence it is able to get high throughput rates. 
Increased performance can be acheieved by running multiple WSD's in
parallel (unlike the LD).  Hence the single VIP (virtual IP address)  on
the internet is routed/switched to the web server farm.  (Many machines
have 1 IP address on the internet)  Since the WSD munges the IP header
info as it comes in and goes out, the servers can be on a private network
which normally wouldn't be accessable/routeable across the internet.  This
configuration also requires that the WSD be the default route for the web
servers (unlike the LD).  The WSD also allows ACL's, and with a simple ACL
there is little performace hit. 

Basically the WSD's would:
allow from any to web server port TCP 80
allow from any to web server established connections ??? depends on the
                firewall I guess
deny everything else

But then I need to figure out a way to allow certain users (Sparc Solaris,
Intel Linux, Win95/NT) from the internet to be authenticated into the
protected network so they can access the machines securely (encrypted
connections) from remote locations (SecureID, RSA Keys/ssh, or the like)-
hence the need for the firewall.  Preferably this would be done via a VPN
soution, because just about everything needs to be supported- TCP, UDP,
ICMP)  Mangement has stated they want the firewall to run on Sparc/Solaris
to keep management costs down.  It needs to be as transparent as posible,
ease of use is a key factor.  (Remote) Manageability as well since this
configuration will be duplicated at mulitple datacenters. 

Anyones experiance or thoughts are welcome (Am I even on the right track? 
 I'm not even sure if this is possible!)  Distributors\developers of
firewall products are also encouraged to respond but probably should do so
directly to me and not to the list. 

Thanks!

 ------
Aaron Turner, CNE                        |  Email: aturner () vicinity com
Network Engineer                         |  Voice: 650.237.0311 x252
Vicinity Corp.  http://www.vicinity.com  |  Fax:   650.237.0305
Email-to-alpha-page: 4155721411.1146752 () pagenet net [Subject & Body sent]