> If you've got a T3 or better into the
> Internet and are feeding it with an FDDI, chances are that you've got a
> pretty big installation behind it, with multiple LANs feeding into your
> FDDI border.
One contradictory data point here. We have a medium size installation
(a few hundred hosts) and we've got a backbone net inside our main
router that consists of one FDDI ring and one Ethernet, with other
routers hanging off those. Outside the router, we've got another FDDI
ring which has our T1 line to the main Internet, plus another router
that has dedicated T3 lines to other NSF supercomputer centers attached
to it. Some of those centers have CRAYs attached to FDDI that want to
talk to our CRAY attached to FDDI. They are quite capable of sustaining
transmission at the maximum bandwidth that the FDDI<->T3<->FDDI
connection is capable of, so we need a firewall that can pass packets
at well beyond T1 speeds. This is not some hypothetical off in the
future thing, it is right here, right now. Performance issues are important
>It's also likely that you have enough budget to purchase
> multiple firewalls.
> This requires management of multiple firewall machines
> Am I missing something fundamental here?
You're not "missing" anything, it's just that having to manage multiple
firewall machines increases the cost of the firewall, both in equipment
and manpower, and is much harder to keep secure. Ideally, I'd much
prefer one big machine that can handle the load. However, it's clear
that such a machine does not yet exist, so we have no choice but to
go with multiple firewall machines.