Re: [fw-wiz] 10Gb Firewalls
Looked into this a couple of years ago for next-gen network
segmentation in the data centre; and I believe the Crossbeam Platform
(x-series) running Checkpoint will give you what you're looking for;
It's a network appliance, which runs various 'applications' e.g.
Checkpoint Firewall, Sourcefire, Imperva, Trend, Websense.
Otherwise, as others have already said -- Cisco has options either the
ASA platforms, or the 6500 with FWSM.
Re: SAN transport -- as others have already mentioned; i'd avoid
trying to transport low-latency traffic like iSCSI through a firewall
infrastructure. I'd be looking to keep this in a dedicated switched
transport network where possible (with Jumbo frame support); and if
it's traversing a WAN then use FCIP rather than iSCSI. It really
depends on your SAN archictecture -- but extending a SAN would mean
creating a larger fabric; whereas its better to connect indepedant
fabrics together using a 'routed' interconnect between the remote
locations (this prevents fabric reconfigurations in one location
impacting the other, or reconfigurations caused by WAN/MAN outage
impacting the local sites) - use something like Cisco's inter-VSAN
routing; or Brocade has a similar approach/solution I believe (using
what used to be called their FAP - fabric application platform).
2008/4/29 Kerry Milestone <firstname.lastname@example.org>:[color=blue]
> Hello kind Wizards,
> I am investigating the possibilities of putting a firewall on the end of a
> 10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this is a
> scoping project (though it _has_ to happen due to the nature of projects in
> the institute), cost is not the main issue. I've come across the Nortel
> Switched Firewall 6000, however this 'only' does 6Gb throughput.
> Alternatively, we have several firewalls which work at 1Gb and are
> wondering if its a better to chanelize [sic] and put say 10 firewalls each
> dealing with different traffic. In coming years, IP based VPN's to other
> sites will become more used - and more 10Gb links to site perhaps building
> up to a 40Gb WAN backbone. We currently have an IDS which will can handle
> this much volume.
> The next question, is extending the SAN. If using iSCSI, is it better to
> leave this traffic off the firewall and just route it through, say a GRE
> tunnel without encryption?
> Would be keen to hear any thoughts on the theory of what I want to do.
> Implementation is not so difficult, really after some 'best practices'
> Many thanks,
> The Wellcome Trust Sanger Institute is operated by Genome Research Limited,
> a charity registered in England with number 1021457 and a company registered
> in England with number 2742969, whose registered office is 215 Euston Road,
> London, NW1 2BE. _______________________________________________
> firewall-wizards mailing list
firewall-wizards mailing list