Firewall Wizards mailing list archives

Re: Info Request: Looking for alternatives in HA/Load balancing firewalls ...

From: "Peter J. Cherny" <peterc () luddite com au>
Date: Thu, 13 Apr 2006 23:39:04 +1000

At 04:24 AM 5/4/06, Keith A. Glass wrote:

We're currently spec'ing functional requirements for a new web-basedimplementation of a number of enterprise apps. One obvious problem is
...


I'm wondering, if it's a "new web-based implementation",
why you need a L3 firewall ?

I'd have thought a simple stateless filter rule that allows
web access, but denies the rest, would suffice.
The state kept by the SLB fixes returned packets by only
NATing valid session traffic.

I know a couple of old AD3/4 used for both SLB and filtering
can easily support a few Gb of traffic,
I'd imagine newer boxen from all the vendors would do better.

My contrary view is that the firewalls don't belong out-front,
but should live deeper in a layered architecture ...
... defense-in-depth means multiple choke points,
not just a single perimeter barrier.

pjc

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Info Request: Looking for alternatives in HA/Load balancing firewalls ... Peter J. Cherny (Apr 23)
- RE: Info Request: Looking for alternatives in HA/Load balancing firewalls ... Keith A. Glass (Apr 23)
  - RE: Info Request: Looking for alternatives in HA/Load balancing firewalls ... Marcus J. Ranum (Apr 26)
    - RE: Info Request: Looking for alternatives in HA/Load balancing firewalls ... Keith A. Glass (Apr 26)
    - RE: Info Request: Looking for alternatives in HA/Load balancing firewalls ... Marcus J. Ranum (Apr 26)