This is a discussion on Re: [fw-wiz] 10Gb Firewalls - Firewalls ; Just my $AU0.02 worth. Netscreen 5200/5400 are 10Gb/30Gb "capable" respectivly. http://www.juniper.net/products_and_...etscreen_5400/ Not sure how you would get "wire speed" on them though as 10Gb is only on fibre ;-) M@ 2008/4/30 Fetch, Brandon : > Apart from the recommendations you've ...
Just my $AU0.02 worth.
Netscreen 5200/5400 are 10Gb/30Gb "capable" respectivly.
Not sure how you would get "wire speed" on them though as 10Gb is only
on fibre ;-)
2008/4/30 Fetch, Brandon
> Apart from the recommendations you've seen suggested, perhaps your
> desire for the 10Gb firewall could be better addressed with a
> re-thinking of your design/architecture?
> You mention iSCSI traffic - passing that type of latency-sensitive
> traffic through a firewall would be a serious negative in my opinion.
> I'd bet $2 (or a single quid to you ) any iSCSI vendor would have
> fits troubleshooting an issue if you told them it was passing through a
> I guess that's where I'm pointing you is to reevaluate what/where you
> need to define access rules and determine whether you'd be better suited
> to using something other than a L3/4 device to segment/isolate traffic
> or access.
> If you're looking at running a consolidated SAN between a number of
> "limited" systems you've merely shifted your risk from IP/network to
> disk/SAN. Who's to say you couldn't get someone trying to elevate their
> level of access via the fiber-channel medium versus breaking through the
> Ethernet layer?
> Anyway - I think instead of trying to find the biggest hammer to strike
> all your little nails at one time, you might want to consider putting
> them into different boards in your house.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf Of
> Kerry Milestone
> Sent: Tuesday, April 29, 2008 4:36 AM
> To: Firewall Wizards Security Mailing List
> Subject: [fw-wiz] 10Gb Firewalls
> Hello kind Wizards,
> I am investigating the possibilities of putting a firewall on the end of
> a 10Gb link. I'd like to be able to inspect at 10Gb wirespeed. As this
> is a scoping project (though it _has_ to happen due to the nature of
> projects in the institute), cost is not the main issue. I've come
> across the Nortel Switched Firewall 6000, however this 'only' does 6Gb
> Alternatively, we have several firewalls which work at 1Gb and are
> wondering if its a better to chanelize [sic] and put say 10 firewalls
> each dealing with different traffic. In coming years, IP based VPN's to
> other sites will become more used - and more 10Gb links to site perhaps
> building up to a 40Gb WAN backbone. We currently have an IDS which will
> can handle this much volume.
> The next question, is extending the SAN. If using iSCSI, is it better
> to leave this traffic off the firewall and just route it through, say a
> GRE tunnel without encryption?
> Would be keen to hear any thoughts on the theory of what I want to do.
> Implementation is not so difficult, really after some 'best practices'
> Many thanks,
> The Wellcome Trust Sanger Institute is operated by Genome Research
> Limited, a charity registered in England with number 1021457 and a
> company registered in England with number 2742969, whose registered
> office is 215 Euston Road, London, NW1 2BE.
> firewall-wizards mailing list
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
> firewall-wizards mailing list
"Some things are eternal by nature,
others by consequence"
firewall-wizards mailing list