[fw-wiz] Firewall recommendations please

Robert Alexander RAlexander@Scient.com
Mon, 11 Sep 2000 10:11:50 -0500

I would throw out two suggestions for your proposed architecture:

First, look into Foundry Networks ServerIron. They have a specific feature
called FireWall Load Balancing, which I have used in the past to load
balance incoming session across 4 Nokia's running FW-1. With this setup, you
dont have an active/passive setup - you actually have the combined
throughput of all involved firewalls. and if your throughput needs increase,
you simply plug in another firewall.  

Second, if you decide to go with an all Cisco solution and use the PIX 520,
look into PIX IOS v5.1(2). Since v5, the PIX can do full stateful session
failover via a dedicated NIC interface that runs a crossover between both
firewalls. I am not a big fan of the PIX failover, though. The failover time
can vary from 15 sec. to as much as 5 minutes, depending on what event
causes the failure. Also, Cisco recently introduced gig interfaces for the

-----Original Message-----
From: Darren Mackay [mailto:darren.mackay@uq.net.au]
Sent: Sunday, September 10, 2000 7:56 AM
To: firewall-wizards@nfr.com
Subject: [fw-wiz] Firewall recommendations please

Hi all,

I have been working on a proposal for an 'e-commerce' hosting service
(hosted sites are for business data / stock quotes / port folio access
and similar). The requirements that I have to work with are (not much
I know):

1. 45mb internet link, with the client expecting around 20mb/s traffic
average through the day.

2. Inbound protocols
- http / https (average of 1kb/s per user over 5 seconds)
- some sites may use their own protocols via a java or activex app in
the browser (not sure how sensitive these may to latency)
- smtp
- roaming user vpn (citrix ICA)

3. Outbound protocols (for their own staff)
- http / https
- ftp
- smtp
- citrix ICA (via vpn)

The client absolutely wants fw-1 on a single solaris sparc (with a
second for fail over) box but we have our doubts whether it can handle
it - especially the latency overhead we have seen at other sites for
protocols such as ICA (even if it is the first rule) when the total
number of concurrent connections being managed by the firewall is
above 100 or so (from the info we have been given the estimated
average number of concurrent connections is between 1500 and 2000
concurrent connections managed by the firewall.

To keep with the client's wishes for fw-1 on solaris, we are proposing
the following:

     |             |
    fw-1          fw-1
     |             |
     catalyst 6500 (VLANs)
      hosted servers
  each on their own VLAN
    (approx 25 VLANS)


- we plan to use stonebeat to load balance the fw-1 boxes (instead of
fail over) (never used stonebeat before)

- each VLAN will have ACLs to prevent each hosted services from seeing
each other

- we plan to use the load balancing feature of the catalyst for some
sites with redundant web servers

- VPNs will be terminated on an internal VPN / firewall server - not
on the external firewalls

- considering floodgate for bandwidth management (customer request)
(never used before - comments please?)

- considering using fw-1 on intel or fw-1 for linux (rational - more
raw cpu, can purchase 4 single cpu boxes including fw-1 licenses for
the cost of 2 dual processor sparcs with fw-1 licenses, not including
stonebeat of course)

- i would like the 'office' internet access and vpns to be moved to
separate internet link (certainly the vpn stuff anyway - even if the
45mb link is only using 20mb, citrix - the primary protocol to run
over the vpn will perform way better on a dedicated link than if it
has to share bandwidth with http / https / smtp)

- all subnets except the office LAN will be using publically routable

- client desires (not require) that in the event that a firewall dies,
that existing connections be failed over

- is the above design going to handle the load (for the number of
concurrent connections)? what changes do you recommend to be made to
handle the proposed connection load and protocols?

- i have seen stats on the cp website showing throughput for several
os's. is anyone able to tell me which is faster, fw-1 for solaris (on
intel) or fw-1 for linux on the same intel box?

- we have been considering using an all cisco solution (my personal
      - replace fw-1 with pix 520 - but cannot fail
        over existing connections?
      - load balance with Catalyst 4840G SLB Switch
        or Content Services Switch (layer 6 / 7 load
        balancing switch - can be optimised for http
        and custom protocols and for streaming
        multicast) - but cannot fail over existing
  has anyone implemented a site similar to the above using all cisco??

- are there any other products or designs we should be looking at

- should we be fully firewall each VLAN from each other, and use
normal subnets each connected to a separate firewall port instead
(limited by the number of ethernet ports?? - need to be at least 25
subnets, may be a max of 30 separate subnets)

- i have seen a few posts refering to PIX as not being secure - I have
never had a problem, can you elaborate on why you think it is not
secure please?

Any advice or comments is greatly appreciated,

Darren Mackay

Firewall-wizards mailing list