[c-nsp] Firewall/IPS Load Balancing

Murphy, William William.Murphy at uth.tmc.edu
Tue Mar 20 12:12:58 EDT 2012 

Thanks for your feedback, but I don't think I am confused.  GigaMon produces a G-Secure-0216 device which allows you to take a 10G link and split the flows/conversations across up to 8 1G links.  They basically call it a security device load balancer.  The device operates at close to line rate and can allocate the flows using mac-address, IP address. and even layer-4 ports (user configurable).  What I am trying to achieve is independence from vendor proprietary clustering, load sharing approaches and have something that is more linearly scalable simply by adding another parallel device into the path.  I won't name names but certain security vendors don't do A/A very well...

Bill


-----Original Message-----
From: Eugeniu Patrascu [mailto:eugen at imacandi.net] 
Sent: Tuesday, March 20, 2012 4:32 AM
To: Murphy, William
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Firewall/IPS Load Balancing

On Tue, Mar 20, 2012 at 00:50, Murphy, William <William.Murphy at uth.tmc.edu> wrote:
> I thought I would poll the list to solicit recommendations on how to do firewall/IPS load balancing.  I am considering a traffic distribution switch from GigaMon but I am curious what other products might be out there, or perhaps even features in Cisco 6500 product that would achieve the same result.  I am not interested in paying for full blown ADC/SLB boxes (ACE or whatever) with more features than I need, and the GigaMon approach seems like it fits that bill.  Thanks in advance for your feedback.

Hi,

I think you are a bit confused: GigaMon does not produce/sell load balancing "switches". What they do sniffing equipment that has the possibility to be very granular at what you want to capture and to audit this (like before receibing traffic you have to authenticate to the device).
If you want firewall high availability, the simplest solution is to buy two firewalls and run them in A/A or A/P configuration.
ACE or another SLB solution will balance incoming traffic to a pool of servers based on some criteria that you can usually choose from.

I think you need to better describe what are your needs and what you want to accomplish.

HTH,
Eugeniu

More information about the cisco-nsp mailing list