[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Enterprise Extranet Firewalls
From:       peter () baileynm ! com (Peter da Silva)
Date:       1997-07-11 8:49:04
[Download RAW message or body]

I'm not a firewall vendor, and I've got no business to gain or lose from
this message. So...

> The company I'm working with needs to implement in the next three months.
> If you're a firewall vendor with a product that satisfies requirements (1)
> through (10) with available product or beta code, I'm probably not the only
> one who'd be interested in hearing about it.  If you can't match this list,
> don't bother to respond to me -- respond by changing your development
> priorities from toys like RealAudio to features that enable companies to get
> real work done better, faster, and more reliably.  We'll be reviewing the
> requirements and the market again in a year or so, and you can get in
> on the next evaluation cycle.

You've got an extremely specific set of requirements there, one I don't
think you're possibly going to solve without custom software... especially
with the requirement that they support an obscure proprietary SCSI RAID
controller (which pretty much means DOS, Netware, or NT based solutions).

I hope that the slam about "toys" was simply careless wording. The folks on
this list are not generally sales-droids who are supposed to take hits like
that as part of their jobs ("beat me more, master. I can take it... makes
the comission sweeter"). You want help from professionals, you need to treat
them as professionals.

That aside...

I think the best solution is going to be proxy firewalls front-ended with
some sort of high-availability NAT device. Double-NATting (the proxy does
2-way NAT, in effect) is the only way to really deal with conflicting
address spaces, and using a NAT device that detects when a proxy server
is down and switches to routing to another device will give you the
high availability. These sorts of devices are already available, but I'm
not familiar with any specific models.

Proxying lan manager and database servers is pretty well known technology.
Give the proxy multiple virtual IPs and attach plugs through to the real
destination host from each virtual IP address.

But finding proxies that will deal with your unnecessary Compaq SCSI RAID
controllers (since a firewall will never have enough disk spinning to make
RAID even vaguely necessary... just keep a mirror of the boot disk online
and switch over to it when the front-end warns you that the proxy is down)
is going to be tough.

[prev in list] [next in list] [prev in thread] [next in thread]