[c-nsp] firewall w/ >1Gbps interfaces

Adam Greene maillist at webjogger.net
Thu Nov 3 11:03:21 EST 2005


Couple weeks ago, I asked about ways of establishing a >1Gbps connection
between two servers through a Cisco firewall. I got lots of great feedback.
Unfortunately, the project got pushed off my plate until now so I couldn't
follow up until now.

Here's a summary of the case: Our customer runs a medical imaging service
and needs to establish some kind of security between a webserver and an
image server. The images are huge and he needs the fastest possible
connection between the two devices. But he also needs to put the webserver
in a DMZ and the image server behind an iron wall of security.

Michael suggested a 6500/7600 firewall blade. That will be out of budget,
but I'll mention it to the customer so he can see something to consider in
the future once he grows.

Rubens asked if the servers are powerful enough and the applications fast
enough to achieve >1Gbps bursts. Great question -- we'll be doing some lab
testing to find the answer.

Saku suggested running etherchannel between 1x or 2x 3750, which I think is
probably the option we're going to try.

I think what we're going to do is set up an ASA 5510 facing the Internet and
place the 3750 behind it. The only legitimate way to gain access to the
image server from the Internet will be to VPN to the ASA 5510, and there
will be a packet filter between the image and web servers.

My main question at this point is: Saku and Michael mentioned that a
stateful firewall (i.e. the ASA 5510) in front of the web server may be more
easily brought down by a DoS than a simple packet filter would be. I am
thinking that a 2800 router might be more appropriate than the ASA 5510 in
this case. I'm still stuck on the stateful firewall vs packet filter
conundrum, though. Considering all of the above, would you still agree that
a packet filter (i.e. 2800) would be superior to an ASA 5510 for this

Belated thanks,

[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

More information about the cisco-nsp mailing list