Sorry for the long delay in responding to this. I've been busy adding new
features to the PIX.
Some of the comments concerning the PIX is a little off. The PIX is
not a router.
The PIX works great as a firewall. We keep connection state on all TCP
connections
and will drop inbound datagrams that have on connection object allocated for
that host.
A quick overview of how the PIX works.
The PIX has two ethernet interface: inside and outside.
IP datagrams arriving on the inside cause a new address to be allocated from
a pool of global addresses and used to translation the source of the outbound
datagram. If the datagram is a TCP datagram, a connection object is allocated
and the foreign IP address and all the port numbers are saved.
When a datagram arrives from the outside, the translation table is searched
for an active translation. If none is found the datagram is logged and
dropped.
If a translation is found, and the datagram is a TCP datagram, the connections
for that
hosts are searched for this TCP connection. If a connection object is not
found the
datagram is logged and dropped. Normally no connection object can be created
from
the outside.
As you can see, this gives us great filtering power with a limit amount of
overhead.
We have tested the box to 10,000 connections with only a small performance
degradation.
We pump about 600-700K through a typical TCP connection.
Brantley Coile
Network Translation, Inc.
bwc @
translation .
com
|
|
