Firewall Wizards mailing list archives
Re: 10Gb Firewalls
From: "Dominic Fells" <domfells () gmail com>
Date: Wed, 30 Apr 2008 10:34:15 -0700
Looked into this a couple of years ago for next-gen network segmentation in the data centre; and I believe the Crossbeam Platform (x-series) running Checkpoint will give you what you're looking for; It's a network appliance, which runs various 'applications' e.g. Checkpoint Firewall, Sourcefire, Imperva, Trend, Websense. Otherwise, as others have already said -- Cisco has options either the ASA platforms, or the 6500 with FWSM. Re: SAN transport -- as others have already mentioned; i'd avoid trying to transport low-latency traffic like iSCSI through a firewall infrastructure. I'd be looking to keep this in a dedicated switched transport network where possible (with Jumbo frame support); and if it's traversing a WAN then use FCIP rather than iSCSI. It really depends on your SAN archictecture -- but extending a SAN would mean creating a larger fabric; whereas its better to connect indepedant fabrics together using a 'routed' interconnect between the remote locations (this prevents fabric reconfigurations in one location impacting the other, or reconfigurations caused by WAN/MAN outage impacting the local sites) - use something like Cisco's inter-VSAN routing; or Brocade has a similar approach/solution I believe (using what used to be called their FAP - fabric application platform). 2008/4/29 Kerry Milestone <km4 () sanger ac uk>:
Hello kind Wizards, I am investigating the possibilities of putting a firewall on the end of a 10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this is a scoping project (though it _has_ to happen due to the nature of projects in the institute), cost is not the main issue. I've come across the Nortel Switched Firewall 6000, however this 'only' does 6Gb throughput. Alternatively, we have several firewalls which work at 1Gb and are wondering if its a better to chanelize [sic] and put say 10 firewalls each dealing with different traffic. In coming years, IP based VPN's to other sites will become more used - and more 10Gb links to site perhaps building up to a 40Gb WAN backbone. We currently have an IDS which will can handle this much volume. The next question, is extending the SAN. If using iSCSI, is it better to leave this traffic off the firewall and just route it through, say a GRE tunnel without encryption? Would be keen to hear any thoughts on the theory of what I want to do. Implementation is not so difficult, really after some 'best practices' thoughts. Many thanks, Kerry. -- The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- Dominic Fells, domfells () gmail com +447770654349 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible?, (continued)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Snyder, Guy (Apr 24)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Bill Stout (Apr 22)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Chris Myers (Apr 24)
- 10Gb Firewalls Kerry Milestone (Apr 29)
- Re: 10Gb Firewalls Darden, Patrick S. (Apr 29)
- Re: 10Gb Firewalls Francois Yang (Apr 29)
- Re: 10Gb Firewalls Ledwidge, Feargal (Apr 29)
- Re: 10Gb Firewalls Jens Brey (Apr 29)
- Re: 10Gb Firewalls Fetch, Brandon (Apr 29)
- Re: 10Gb Firewalls Mathew Want (Apr 30)
- Re: 10Gb Firewalls Dominic Fells (Apr 30)
- Message not available
- Re: 10Gb Firewalls Kerry Milestone (Apr 30)
- Re: IPSEC VPN: Sidewinder >-< Nortel compatible? Chris Myers (Apr 24)