-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Peter J.
Cherny
Sent: Thursday, April 13, 2006 9:39 AM
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Info Request: Looking for alternatives in HA/Load
balancing firewalls ...

>At 04:24 AM 5/4/06, Keith A. Glass wrote:
>>We're currently spec'ing functional requirements for a new web-based
>>implementation of a number of enterprise apps. One obvious problem is
>>...


>I'm wondering, if it's a "new web-based implementation",
>why you need a L3 firewall ?


>I'd have thought a simple stateless filter rule that allows
>web access, but denies the rest, would suffice.
>The state kept by the SLB fixes returned packets by only
>NATing valid session traffic.


Because it's not JUST web, but that's the way the project was sold.

It's a web portal front-end for a number of disparate apps, plus some
high-volume (huge attachments) email plus possibly some FTP (I know, I know.
.. .) and a few other minor things. . .

>My contrary view is that the firewalls don't belong out-front,
>but should live deeper in a layered architecture ...
>... defense-in-depth means multiple choke points,
>not just a single perimeter barrier.


We're currently envisioning it as a DMZ with firewalls on both sides, and,
of course, DIFFERENT firewalls on different hardware/software platforms. . .
..

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 4/22/2006


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards