[c-nsp] firewall w/ >1Gbps interfaces

Rubens Kuhl Jr. rubensk at gmail.com
Wed Oct 19 12:45:33 EDT 2005


> Does anyone have a suggestion? As far as I can tell, the ASA and PIX series
> support 1Gbps interfaces max, and I don't see any reference (so far) in the
> documentation that these devices support etherchannel aggregation.
>
> Our customer runs a medical imaging service and needs to establish some kind
> of security between a webserver and an image server. The images are huge and
> he needs the fastest possible connection between the two devices. But he
> also needs to put the webserver in a DMZ and the image server behind an iron
> wall of security.

How would these devices be connected, 10GbE interfaces ? Are the
servers powerful enough and the applications fast enough to achieve >1
Gbps bursts ?

Either way, I think ACLs would provide enough security between the
image server and the web server. Just code them well ("permit tcp host
a.a.a.a gt 1023 host b.b.b.b eq port"/deny anything else on one side,
"permit tcp host b.b.b.b eq port host a.a.a.a gt 1023 established
"/deny anything else on the other side) and include all other L2
security measures that would also be required with stateful filtering
like port-security and ARP ACLs.

Rubens



>
> The thought of activating a firewall feature set on a 3750 / 4948 or 2800 /
> 3800 and doing etherchannel also crossed my mind ...
>
> Any thoughts appreciated,
> Adam
>
> ---
> [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list