[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 plus load-balancing




Thomas,

Ah, that simplifies things.  I misinterpreted your original post to mean
that VPN was an issue, when in fact you meant the opposite.  Sorry.

Anyway, if all you want is load balancing of regular IP traffic at 400Mbps+,
you really have two options:

1) a software-based solution like Rainwall by Rainfinity that runs directly
on the firewall itself.
2) a hardware-based solution like ServerIron by Foundry that sits in front
of and behind the firewall (sandwich-style).

Both are capable of the speeds you describe, although there are distinct
differences in price and functionality.  In general, a hardware solution
will have more features, but may cost several times as much as a software
solution.  There are other products in each category, but I mention these
because both are OPSEC certified and emphasize scalability as a key feature.
Of the two, I recommend Rainwall, mainly because the manufacturer pays my
rent.  ;-)

For more information:
http://www.rainfinity.com/products/rwall.shtml
http://www.foundrynetworks.com/products/FWLB.html

Things to consider:  Do you just want load balancing (LB), or do you also
want high availability (HA)?  With so much traffic going through one point
in your network, what would be the impact of a failure at that point?  If
the impact would be significant, make sure your design avoids single points
of failure, including failure of the load-balancer.  Also, consider whether
you need HA/LB in all directions from all subnets, or just on certain
interfaces.  This can have a big impact on cost, especially with a
hardware-sandwich design.  Product list price comparisons don't tell you
much.  Compare total cost of ownership for a complete solution tailored to
your environment, including soft costs and costs beyond the HA/LB product
itself, such as added FW-1 licenses, rack space, future upgrades,
administration, etc.

Best regards,

Mark L. Decker
Rainfinity
[email protected] <mailto:[email protected]>-----Original Message-----
From: Thomas Nau [mailto:[email protected]

Mark,
no VPN at all so far. Simply a bunch (> 3000) clients behind a 'soon to
come' OC-48 broken down to GigE.

Thomas



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================