Please CC all responses to my personal address
(wightman @
sol .
acs .
uwosh .
edu), since I am subscribed to firewalls
digest and don't get a lot of time to do more than scan firewalls.
My organization is looking into a high-end database system and would
like to firewall the DB system to basically allow the following:
1) Incoming connections by 1 or 2 people (possibly encrypted, lets
assume, since it is not pertinent for my question, that it is
a secured connections) for administration of the box itself.
2) Incoming SQL*Net or some such TCP-based pipe for databse
manipulation, and outgoing responses.
3) Incoming and outgoing file transfers to allow interaction with
legacy systems. These would usually happen at non-peak-use
hours and be acomplished using FTP. These transfers would be
limited to specific hosts within our domian.
4) Outgoing log / alert / maintenance messages. This would probably
be accomplished with SNMP (or similar) and SMTP.
5) Outgoing LPR requests for reports, etc. This would have to be
encrypted or on a trusted subnet (unsniffable).
6) Deny all other traffic.
7) Log all connections, allowed or denied.
The network configuration would be something like:
+--------+ 100BT port 100BT port +------------+
| Switch |-----------------+ +-------------| DB Cluster |
+--------+ | | +------------+
+---+--+---+
| FW 1 box |
+----------+
The salesman (Sun) said that the FW1 box would be able to keep up with
the 100 MB pipe. For those of you who use FW1, from experience, how
large of a FW 1 box would one need to accomplish the rules above with
at least a 20-30% (50-70% peak) load on the 100MB switch port.
Same questions as above for Cisco PIX firewall. One salesman said T3
speeds. Another said wire speeds up to 100 Mb.
Thanks in advance,
Brian
|
|
