[ previous ] [ next ] [ threads ]
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: Internal Firewall
 Date:  Thu, 1 Sep 2005 23:20:29 +0200
And you still can put filters in place :)

I do it on my Passports 8610 routing switch. Performance up to 128Gbps
(new chassis & cpu already 783Gbps)

Just buy the new cisco catalyst switch with gbit ports, they also have
l3 routing switch capabilities with fast performance.


-----Oorspronkelijk bericht-----
Van: Chris Buechler [mailto:cbuechler at gmail dot com] 
Verzonden: donderdag 1 september 2005 23:16
CC: m0n0wall at lists dot m0n0 dot ch
Onderwerp: Re: [m0n0wall] Re: Internal Firewall

On 9/1/05, Vince Van De Coevering <vpv at figaros dot com> wrote:
> > By adding a firewall between your users and your servers you will be
> > dealing with an overly complex setup. The only rational for doing
> > is if you do not trust the users, i.e. public access or student/lab
> > users. If that is the case restrict the public access or labs from
> > LAN on a DMZ.
> >
> > Enforce policies on proper use, updates and antivirus. Don't
> > allow IM or
> > AOL installs. Restrict installation rights on your workstations.
> > Consider some kind of web content filtering to restrict access to
> > questionable material/games.
> I know of a large healthcare company who attempted to firewall off
> servers because they believed that HIPAA compliance called for that.
> ended up happening is that they created a lot of latency in their
> which caused critical services to timeout, created bottlenecks,
> frequent disconnects, and ultimately resulted in lost worker

Yep, that's likely exactly what you're going to end up with, using a
typical firewall or router.

The proper way to do this would be to use VLAN's and a L3 switch.  A
L3 switch is really the only feasible way to route between subnets
quickly enough that the latency and throughput degradation will be
virtually immeasurable, even up to gigabit wire speed.


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch