[prev in list] [next in list] [prev in thread] [next in thread] 

List:       toasters
Subject:    Re: Performance impact of in-lined firewalls/IDS
From:       Jack Lyons <jack1729 () gmail ! com>
Date:       2008-03-21 1:37:05
Message-ID: 47E31140.1000106 () gmail ! com
[Download RAW message or body]

As food for thought.

We recently implemented 8 VMs on ESX 3.0 on NFS on a filer.

Everything was working fine, but we decided to implement a "Storage 
VLAN" for ISCSI and NFS traffic. 

While getting ready to implement this we discovered that the NFS traffic 
was traveling on our VMOTION network which was firewalled off by a linux 
based firewall (IPChains, RHEL 3).

Whats if even more interesting is that this linux based firewall was a 
VM on another standalone ESX 2.5.4 host running on a PowerEdge 2650 with 
4GB RAM with 8 other VMs running.

So the point is - it can work but I doubt it could sustain high throughput.

Jack

Webster, Stetson wrote:
> That's a very bad idea and is pointless.  A good security implementation
> will put stuff like that in more outer layers.  
>
> Ask how the IDS devices will handle jumbo frames and ask if they can run
> at near 1Gb/s line-speeds.  That's hard to do.
>
>  
>
> -----Original Message-----
> From: Nils Vogels [mailto:bacardicoke@gmail.com] 
> Sent: Thursday, March 20, 2008 12:03 PM
> To: Tom Yates
> Cc: toasters@mathworks.com
> Subject: Re: Performance impact of in-lined firewalls/IDS
>
> Hi Tom,
>
> On Thu, Mar 20, 2008 at 3:34 PM, Tom Yates <madlists@teaparty.net>
> wrote:
>   
>> I have a bunch of filers that we use from various hosts for CIFS, NFS 
>> and  iSCSI.  Powers That Be are planning to put both a firewall and an
>>     
>
>   
>> adaptive  IDS between my filers and my hosts.
>>     
>
> Not all iSCSI implementations support routing of iSCSI PDU's, so take
> that into account while choosing your IDS solution :)
>
> Greets,
>
> Nils
> --
> Simple guidelines to happiness:
> Work like you don't need the money,
> Love like your heart has never been broken and Dance like no one can see
> you.
>
>
>   

[prev in list] [next in list] [prev in thread] [next in thread]