Re: SMTP Firewall (fwd)

[Roy Stevens <tobor () ns compunetservices com>]

---------- Forwarded message ----------
Date: Wed, 8 Sep 1999 10:26:32 -0500 (CDT)
From: Roy Stevens <tobor@ns>
To: Kenneth_W_Fox () sbphrd com
Subject: Re: SMTP Firewall

They currently employ 2 firewalls.  One of which has all internal clients 
6,000 + http browsers pointed at.  The other carries 95+ % of the mail.  
This is accomplish through DNS mail record prefernce.  Both firewalls are 
currently configured identically.  They rely on DNS to split services.  
There is an inititive to move to a load sharing scenareo.  I estimate 
that the SMTP load will be approximately 25%.  They will also be adding 
additional services Real Media, news, other streaming content.

The only positive argument I have is that by moving the mail service to 
it's own cluster (2 for redundancy) is that it will extend the usable 
life of the current hardware investment.

Both clusters will be running aplication gateway proxy software.  There 
is in place virus scanning for SMTP via an additonal server place 
between the firewall and the corp e-mail servers.

I like the ideal of seperating the service, so that I can customize TCP 
setting for web traffic on one set while optimizing setting for mail type 
traffic on the other.  This also would enable me to idependantly change, 
upgrade OS or applications without impacting the other, if this change is 
more suited to one type of service to the other.

As for as administering the additional boxes, we currently admin about 20 
so 2 more should be no big deal.

I am looking for tangable items to support this decision or to deny it.  
My personal preference does not count for much.

Thanks

On Wed, 8 Sep 1999 Kenneth_W_Fox () sbphrd com wrote:

> There are a number of reasons for and against. Depends on the firewall your
> using and the volume of traffic. WHat percentage of your firewall's
> resources are currently being expended on email (smtp) in & out. Or perhaps
> they want a specific piece of firewall softwware that does something your
> current firewall's software doesn't. Depends what other services are being
> pushed through your firewall (nntp, real audio or video, http). Look at it
> this way - if you already have more than one firewall, you should probably
> put http through one & smtp through the other. I look at having an array
> (2+ firewalls) all configured identically but with the non-primary services
> turned off on each firewall. then if there's a problem with one the others
> back it up in short order after your manual intervention - simple level
> redundancy.