Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Intel vs. special purpose FW-1 servers (Marcus J. Ranum)
2. Re: Intel vs. special purpose FW-1 servers (Keith A. Glass)
3. Re: Discretionary WiFi Access (Jim Seymour)
--__--__--
Message: 1
Date: Thu, 21 Jul 2005 09:32:44 -0400
To: "Emily Conrad" <emilydconrad@hotmail.com>,
firewall-wizards@honor.icsalabs.com
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
Emily Conrad wrote:
>Does anyone have any advice on what factors are important when making such a decision?
I'm assuming that, since you're asking about performance, you don't
care about security. So I'll just speak to the performance side of the
equation.
You should know what your peak loads through the link are going to
look like, and then you can start looking at which products claim they
operate at that level. If you're really concerned you can either use
one of two (equally effective) approaches to predict the performance
you'll see:
1) test or research a credible performance test (not one done by a vendor lab)
2) use bob's algorithm - assume the product can actually handle 1/2 of
what its manufacturer claims it can handle
Before you can even worry about performance, you should do some
basic research and information-gathering about your own network.
That's just Capacity Planning 101. "Back in the day" we used to get
customers who were worried about firewall performance because our
"slow" proxy firewall ran on an Intel box instead of a Sun (in those days,
people cared about that, too) - and they were worried about if it could
handle thier 56k link. <LOL>
mjr.
--__--__--
Message: 2
From: "Keith A. Glass" <salgak@speakeasy.net>
To: "Emily Conrad" <emilydconrad@hotmail.com>,
firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 13:40:20 +0000
Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
> -----Original Message-----
> From: Emily Conrad [mailto:emilydconrad@hotmail.com]
> Sent: Tuesday, July 12, 2005 08:17 PM
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] Intel vs. special purpose FW-1 servers
>
> Hello,
>
> We are working on a project to upgrade our firewall infrastructure.
>
> One of the questions is whether to use FW-1 on a standard Intel server =
or to
> use a special-purpose optimized version of FW-1 on a dedicated hardware=
> platform such as Nokia firewall appliance or Crossbeam systems C30/X40.=
>
> Does anyone have any advice on what factors are important when making s=
uch a
> decision?
Several comments.
1. Have you EVER previously implemented FW-1 on an Intel platform ? IF n=
ot, I'd suggest an appliance-based solution. Personally, if I wanted to =
run FW-1 on generic hardware, I'd buy some cheap SunFire 120s and run it =
on Solaris, now that single-processor licenses for Solaris are free. I'd=
specifically recommend Solaris 9, and note that locking down a Solaris =
system for firewall usage is FAR easier and more complete than trying to =
lock down a Win2K/2K3 system.
2. Are you looking to CLUSTER FW-1 for HA or load balancing ? If so, you=
will DEFINITELY need to look for an optimized appliance-based solution.=
And, based on my experience, I'd suggest the Nortel "Alteon" systems fo=
r FW-1: a pair of Alteon Directors and a pair of compatible Alteon Accele=
rators give you a clustered solution that doesn't require you to play any=
oddball Cisco tricks on your switches, allows you a NUMBER of separate=
d nets behind the firewall, and even multiple DMZs. I've used Nokia IP-s=
eries before, as well as FW-1 on Solaris, and can't say enough about the =
Alteon platform. . .
--__--__--
Message: 3
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Discretionary WiFi Access
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Thu, 21 Jul 2005 10:04:21 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Vinicius Moreira Mello <vmmello@inf.ufrgs.br> wrote:
>
> Jose Varghese wrote:
> >
> > Keeping it simple: Physical segregation and only Internet access
>
> Sorry, but I don't agree. If you deploy and maintain the network you'll
> be liable for any legal action against you in case of misuse.
Perhaps so, but irrelevant, in my view, because I feel responsibility
trumps legal liability. IOW: Even were there no legal liability, it
would be the height of irresponsibility to create an uncontrolled,
un-monitored WiFi hot spot with unfettered access to the 'net.
> Making
> reality simpler is not the same as creating simple solutions.
s/is not/is not necessarily/
>
> I would consider studying solutions #2 or #3 from John Adams's message.
> There are some guides/howtos out there that show how to configure such
> scenarios.
The problem with those solutions is that not all clients will be
supported by the newer WiFi protocols. Most 802.11b drivers don't
support WAP, much-less 802.1x, for example. And even if they do
support them, older implementations may need to be patched to get
bug-fixes. Are *you*, the local network admin., going to take
responsibility for patching a guest's PC? Then there'll be the
administrative overhead in granting the guest access: Both server-side
and client-side. For every visitor--coming and going. Are you, the
local network admin., going to take responsibility for making
configuration changes to a visitor's PC?
Don't get me wrong: I agree that an open mode WLAN is a Very Bad Idea.
But I don't see how John Adams' suggestions are practical, either.
Am I missing something?
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/scform.php>.
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment