Hi Kerry,

> I am investigating the possibilities of putting a firewall on
> the end of a 10Gb link. I'd like to be able to inspect at 10Gb
> wirespeed.

If you want wirespeed, you need a wire, not a firewall.

Firewall are about security, and security is about tradeoff (threat
exposure, ease of use and some times performance):
- Full security come as no traffic flow (look at the Ultimate Firewall TM of
Marcus J. Ranum)
- Full speed traffic come as no security

You have also to define how many ms of delay are you ready to
accept, and if you need high availability.

> As this is a scoping project (though it _has_ to happen due to
> the nature of projects in the institute), cost is not the main
> issue. I've come across the Nortel Switched Firewall 6000,
> however this 'only' does 6Gb throughput.

The point here is: "What is throughput?".
This 6Gb, are they :
- small packets
- big packets
- continuous flow
- burst
- first rules match
- last rules match
- with how many TCP connection?
- what was the delay?
- ...

> Alternatively, we have several firewalls which work at 1Gb and are
> wondering if its a better to chanelize [sic] and put say 10 firewalls
> each dealing with different traffic. In coming years, IP
> based VPN's to other sites will become more used - and more 10Gb
> links to site perhaps building up to a 40Gb WAN backbone.

To know what to do, go back to the basics:
- what are your trust zones?
- how are defined your trust perimeters (technically, in term of
- what is your security policy?
Then you can define security architecture and rules.

Firewalls are to enforce your security policy. If you have no security
policy, they are nothing more that luckstone.

> We currently have an IDS which will can handle this much volume.

If you got en IDS handling 10Gb it might be useless. To handle so
many traffic it might be a signature matching only engine. As
signature editors can not keep with all the new attacks, that's
almost useless.
Moreover, how do you handle the logs, and who have a look at them?

Like for firewalls, IDS are to enforce your security policy. If
you have no security policy, they are nothing more that luckstone.

> The next question, is extending the SAN. If using iSCSI, is
> it better to leave this traffic off the firewall and just route
> it through, say a GRE tunnel without encryption?

Why do you need to get iSCCI through a firewall?
Back to the basics: who do you trust, what are your trust perimeter,

> Would be keen to hear any thoughts on the theory of what I
> want to do.
> Implementation is not so difficult, really after some 'best
> practices' thoughts.

Implementation is difficult. Because the first step is to have a
security policy. Then, implementation is not so difficult.

Jean-Denis Gorin
Reality is that which, when you stop believing in it, doesn't go away.
Philipp K. Dick
firewall-wizards mailing list