Livermore Software Laboratories Intl.
A Division of Freemont Avenue Software, Inc.
1830 S. Kirkwood, Suite 205
Houston, TX 77077
vox: 281-759-3274
fax: 281-759-8558
www.lsli.com
portusinfo@lsli.com
TO: Happy Pharmaceuticals, Inc.
Reference:Firewall RFP
Executive Summary
FAS is pleased to offer a cost effective solution that exceeds all your requirements for security, function, availability, performance, scalability, centralized management, notification, logging, and log analysis. PORTUS is the industry leader in fault tolerant high performance firewalls. PORTUS introduced the first high availability (five nines) fault tolerant firewall in 1995. In 1996 PORTUS became the first firewall to exceed gigabit per second throughput. Product innovations have appeared in nine releases during the six years. PORTUS is very flexible and provides APIs enabling customization for special applications. Our solution consists of redundant firewalls at each of the three locations.Requirements
99.99% Availability:Each location will have a PORTUS-ES High Availability firewall with fault tolerant hardware and software designed for 99.999% (five nines) availability. Each firewall consists of two independent computers that dynamically share the workload while monitoring the other' performance. If a hardware or software failure should disable one of the units the other will automatically detect the problem and take over the function. Alerts will be issued to inform the administrators. The automatic take over function (fwpulse) is able to avoid unnecessary takeovers caused by transient network conditions. When the fwpulse routine determines a take over is required the process occurs within the blink of an eye. The take over process can be customized with pre- and post- takeover scripts. Each computer is manufactured using the highest quality components available. For example, the motherboards on the PORTUS-ES(m) have demonstrated Mean Time Between Failures of 190,800 hours (21.6 years). Each unit has hot swap redundant power supplies, redundant cooling fans, and redundant hot swap disk drives. The software is fault tolerant and is able to detect and recover from hardware and software errors on the fly. Product architecture isolates errors and prevents them from propagating from function to function. Specialized function recovery routines dynamically restart a function should it fail. Automatic function retirement returns all resources acquired from the system on a periodic basis. This prevents system disruptions caused by resource depletion such as memory leaks. Functional recovery routines dynamically restart the retired function to avoid any service disruptions. Hardware and software errors are logged. Certain types of errors can trigger alerts and corrective actions preventing temporary errors from disrupting transactions. Performance
The PORTUS-ES22m system proposed for the central site consists of two independent systems each one with HTTP and FTP throughput greater than a 100 Mbps Ethernet. If one of the systems fails the other can easily handle the entire workload. The PORTUS-ES22i systems proposed for each remote location are also capable of saturating a T3 link. The software is capable of supporting more than 60,000 concurrent user sessions. The ultimate constraint is the memory required for processes and network buffers. All the systems are configured with 512 MB of RAM to allow up to 5000 concurrent users per system. Scalability
PORTUS-ES provides unequaled scalability. The distributed parallel processing architecture of PORTUS allows non-disruptive system upgrades. The uni-processor systems can be upgraded to multi-processor systems and to clusters of SMP systems that dynamically share the workload. The systems can be upgraded to multiple gigabit capacity as required. Flexibility
PORTUS provides specialized proxies for mail, http, ftp, telnet, RPC, UDP, Real Audio as well as generalized proxies that can support nearly all TCP/IP applications. The Application Proxy (aproxy) also has an API that allows customization to enhance special applications. The API allows customized code to control connection authorization. The API allows access to data in the buffer from the client and server. This allows for complete control of data flow and functions for individual applications at the firewall. Data can also be modified before being sent to the client or server. The possibilities are limitless. NAT
For security reasons PORTUS does not permit direct IP addressability through the firewall. As a result, private networks are not visible to the Internet. PORTUS achieves its high level of performance with NAT operational Centralized Management
All configuration data and access rules for the firewalls can be stored and controlled from a central computer. Hoplite, the GUI administration tool, provides encrypted access to all the firewalls to maintain security and integrity during transmission. Strong user authentication is required to gain access and mange the firewall remotely. Strong user authentication is also required to view and update the data on the Hoplite system. Hoplite encrypts the firewall configuration data to prevent unauthorized disclosure or modification of the firewall database. A secure telnet program provides command-line access to the firewall using an encrypted data stream. Strong user authentication is required to permit administrator access to the firewall. One administrator can easily mange dozens of remote PORTUS firewalls from a single system. Logging
PORTUS performs extensive logging of all access attempts. A log record is written for each connection and after each disconnect. The log information includes date, time, client hostname and IP address, server hostname and IP address, The duration of the connection the number of bytes sent and received and even the CPU time used for longer running connections. CPU time is not recorded for HTTP access as the average time used per connection is less than the CPU timer resolution. Applications that require user identification and authentication such as telnet and ftp also log user information. The FTP proxy also logs the ftp sub command including the names of the files transferred. The HTTP access log is written in Common Log Format plus extensions. This allows most third party log analysis tools to be used as well as tools provided by FAS. The format of the HTTP access log can also be customized. Log data can be stored and managed on the firewall. Logs can also be sent in real time to another system for analysis. Log Analysis
PORTUS provides multiple log analysis tools to produce management reports from the mountains of log data. There are five reports that summarized e-mail activity. There are also four e-mail exception reports to permit analysis of e-mail problems. There are four summary reports for telnet and ftp activity. FAS also sells a Smart Web Analysis Tool (SWAT). It is highly customizable and can produce up to 27 different reports. Reports can automatically generated and on an hourly, daily, weekly or monthly basis. Reports can be viewed with a browser, automatically e-mailed to the administrator on a periodic basis. The SWAT program is exceptionally fast and can process a gigabyte http access log in less than 2 minutes. Real-Time Monitoring
PORTUS supplies real time monitors. Hoplite allows real time displays of the system logs and http access logs. Filters are provided to control what is displayed. Security alerts can also be displayed as they occur. PORTUS also includes real time performance monitors. The performance monitor can be configured to log information on a periodic basis (such as 10 minute averages) to disk. It can also display running averages every 10 seconds. Every thing one needs to know about system performance is displayed by the monitor. The disk space monitor automatically issued alerts when the space utilization passes specified thresholds for individual file systems. The level and severity of the alert is used to determine who shall receive the message. Four severity levels are associated with specific utilization percentages. Alerts
Security Alerts are automatically recorded in the syslog. Alerts can be used to generate e-mails and pages.
Firewall Pricing and Configuration
Central site PORTUS-ES22m $30,000 Remote Site 1 PORTUS-ES22i $24,000 Remote Site 2 PORTUS-ES22i$ 24,000Configuration PORTUS-ES22m system:
The PORTUS-ES22m system is a redundant high availability load sharing firewall. There are two systems each with the following configuration. Single 400 MHz PowerPlus 604e processor, 512kB L2 cache,
512 MB ECC RAM, Ultra 2 SCSI adapter,
hot swap 9 GB Ultra2 SCSI disks
dual hot swap 300 watt power supplies,
triple redundant cooling fans,
32X CD-ROM,
2 10/100 Ethernet Adapters on motherboard,
7 PCI slots,
19" rack mount enclosure,
AIX 4.2 license and media,
PORTUS 3.2 license, documentation and media PORTUS-ES22i system: The PORTUS-ES22i system is a redundant high availability load sharing firewall. There are two systems each with the following configuration. Single 400 MHz Pentium II, 512kB L2 cache,
512 MB ECC RAM, Ultra 2 SCSI adapter,
hot swap 9 GB Ultra2 SCSI disks
dual hot swap 300 watt power supplies,
triple redundant cooling fans,
32X CD-ROM,
2 10/100 Ethernet Adapters,
6 PCI slots,
19" rack mount enclosure,
Solaris 2.6 X86 license and media,
PORTUS 3.2 license, documentation and media
Upgrade options are available. The RFP
Vendor responses:
|
|
|
|
Firewall RFP
See what the vendors are responding to. Includes links to all the RFP responses.
Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.
Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.
Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.
Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.
Firewalls to the rescue
Interviews with firewall users. Network World Fusion, 7/19/99.
