[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: Internal Firewall
 Date:  Thu, 1 Sep 2005 23:20:29 +0200
And you still can put filters in place :)

I do it on my Passports 8610 routing switch. Performance up to 128Gbps
(new chassis & cpu already 783Gbps)

Just buy the new cisco catalyst switch with gbit ports, they also have
l3 routing switch capabilities with fast performance.

J.

-----Oorspronkelijk bericht-----
Van: Chris Buechler [mailto:cbuechler at gmail dot com] 
Verzonden: donderdag 1 september 2005 23:16
CC: m0n0wall at lists dot m0n0 dot ch
Onderwerp: Re: [m0n0wall] Re: Internal Firewall

On 9/1/05, Vince Van De Coevering <vpv at figaros dot com> wrote:
> 
> 
> 
> > By adding a firewall between your users and your servers you will be
> > dealing with an overly complex setup. The only rational for doing
this
> > is if you do not trust the users, i.e. public access or student/lab
> > users. If that is the case restrict the public access or labs from
the
> > LAN on a DMZ.
> >
> > Enforce policies on proper use, updates and antivirus. Don't
> > allow IM or
> > AOL installs. Restrict installation rights on your workstations.
> > Consider some kind of web content filtering to restrict access to
> > questionable material/games.
> 
> I know of a large healthcare company who attempted to firewall off
their
> servers because they believed that HIPAA compliance called for that.
What
> ended up happening is that they created a lot of latency in their
network
> which caused critical services to timeout, created bottlenecks,
created
> frequent disconnects, and ultimately resulted in lost worker
productivity.
> 

Yep, that's likely exactly what you're going to end up with, using a
typical firewall or router.

The proper way to do this would be to use VLAN's and a L3 switch.  A
L3 switch is really the only feasible way to route between subnets
quickly enough that the latency and throughput degradation will be
virtually immeasurable, even up to gigabit wire speed.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch