At 04:24 AM 5/4/06, Keith A. Glass wrote:
>We're currently spec'ing functional requirements for a new web-based
>implementation of a number of enterprise apps. One obvious problem is

I'm wondering, if it's a "new web-based implementation",
why you need a L3 firewall ?

I'd have thought a simple stateless filter rule that allows
web access, but denies the rest, would suffice.
The state kept by the SLB fixes returned packets by only
NATing valid session traffic.

I know a couple of old AD3/4 used for both SLB and filtering
can easily support a few Gb of traffic,
I'd imagine newer boxen from all the vendors would do better.

My contrary view is that the firewalls don't belong out-front,
but should live deeper in a layered architecture ...
.... defense-in-depth means multiple choke points,
not just a single perimeter barrier.


firewall-wizards mailing list