[c-nsp] High-density, high-reliability firewall

[Rick Ernst]

We currently have a pair of redundant Checkpoint NG-X firewalls feeding a
Catalyst 5500 switching fabric. Each of about 70 networks are on their own
VLAN.  We push about 100Mbs and 10Kpps aggregate traffic.

While the firewalls are redundant for each other, they have still been hit
by a couple of service disruptions from problems such as multi-megabit
small UDP packets to multiple destinations.

I'm looking at replacing the firewall infrastructure with something more
robust.  The boundaries are dedicated firewall appliances for each network
or a resiliant monolithic device.  Discrete devices would need central
management and a lot of rack space/power.  A monolithic device has the
potential to take out all the protected networks.

I'm looking at Cisco's FWSM (WS-SVC-FWM-1-K9) on a 6500 or 7600 since it
has the concept of contexts and resource quotas.  My concern is that a
flood of bad traffic could still crater the box, just like our existing
devices.

Does anybody have real-world experience with how the FWSM handles DDoS
type traffic?  Suggestions for other products?  Anybody make a
"blade-firewall" for high-density discrete devices?  I've found one, but
it appears to be vaporware.

We aren't pushing much traffic, but we do want room for growth (say 200
networks, 50Kpps, and 500Mbs), but we really need the reliability.

Thanks,
Rick