At 2:41 PM 4/25/95, Dermot Tynan wrote:
[...]
>The RTT of
>a single packet through a stateless firewall is pretty much irrelevant
>at FDDI speeds. Sure, the *per packet* overhead is marginal, but if
>you do have an FDDI link, the overall bandwidth-gating item will
>probably be the firewall. You'll be paying for a high-bandwidth link
>to the outside world, and it will run into packet starvation on
>trasmit, and dropped packets on receive.
[...and so on...]
I'm surprised that no one has yet pointed out the obvious solution to this
with off-the-shelf technology: If you've got a T3 or better into the
Internet and are feeding it with an FDDI, chances are that you've got a
pretty big installation behind it, with multiple LANs feeding into your
FDDI border. It's also likely that you have enough budget to purchase
multiple firewalls. In that case, you can do some simple load sharing by
running multiple firewalls closer to the machines they're screening and
keeping your firewall off the border net. No funky parallel processors
needed.
This requires management of multiple firewall machines (though they could
be configured identically), and it won't work for everyone (e.g.,if you
have the need to protect a single big honkin' machine that's directly
attached to your FDDI) but for a lot of people it should be a no-brainer.
Am I missing something fundamental here? Or are folks just really fond of
the big expensive bottleneck solution?
--John Scudder
Follow-Ups:
|
|
