Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

Reviews /

Sun: Firewall RFP response

Today's breaking news
Send to a friendFeedback

Network World Fusion, 07/19/99

Current Network

Happy Pharmaceuticals, Inc. has a three site enterprise network that is connected to the Internet at multiple points. Currently the company is not using firewalls, but instead has a few older proxy servers that are limited in scalability and functionality. The company's business has been growing so it is upgrading its current dual T1 connections from the central site network to higher bandwidth T3 connections. The two regional sites will be upgraded from fractional T1 connections to the Internet to full T1 connections.

Current and Future Firewall Requirements

Happy Pharmaceuticals requires its network to be highly available, achieving at least a 99.99% uptime; otherwise known as 'four nines' availability. Any firewall technology put in place must be able to maintain 'four nines' availability, at a minimum. Having a backup firewall on 'hot' standby, ready to take over from the primary firewall is a viable option, if it is not cost prohibitive. The current planned connection to the Internet from the Central Site is over dual T3 connections. The T3's go to separate ISPs and will both be used for traffic. (see Figure 1)

SunScreen Secure Net 3.0 includes industry leading High Availability features, providing high availability for both network screening or firewall functionality, as well as for VPN encryption. Given the existing network topology, Sun suggests the following solution-replace firewall 1 and 2 with an HA cluster consisting of 2 nodes; each one connects to both routers/ISP's and the internal network via standard fast Ethernet hubs (see Figure 2). This will enable Happy Pharmaceuticals to not only install HA for the current requirement, but will also enable VPN connections between the central and remote sites, significantly reducing current WAN costs as this feature is included in the standard SunScreen Secure Net 3.0 license

A SunScreen Secure Net 3.0 HA cluster allows Happy Pharmaceuticals to have a primary screen and up to 15 secondary screens available to take over if the primary fails. SunScreen Secure Net 3.0 licensing allows a single copy to be installed on all the nodes of an HA cluster without having to pay additional licensing costs.

The firewall solution chosen must be able to process high speed traffic since a switched Fast Ethernet connection is on one side of the firewall (100 Mbit/s) and a 45 Mbit/s T3 connection is on the Internet side. The majority of the traffic will be FTP and HTTP traffic and more than 3000 user sessions are possible at any given time. Since the company has developed some of their own applications for use over the Internet, the firewall should provide some capability to customize security features to address new or unknown applications. The firewall should be able to handle up to 3000 user sessions and still provide additional room for growth.

SunScreen Secure Net is well known for being a high performance firewall able to sustain large numbers of simultaneous user connections, and is therefore easily able to support both Happy Pharmaceuticals current performance requirements as well as providing for future expansion. In tests, a Sun Ultra 5 workstation was able to support 75,000 user connections so the Sun Ultra 5s that we propose will easily be able to sustain 3000 user connections with ample room for growth.

Since Happy Pharmaceuticals' network is growing, the network managers want to run Network Address Translation (NAT) on the firewall to allow them to use a larger IP address space. The Firewall solution should not negatively affect the network performance even with NAT running.

To maximize performance, all of the NAT is done in the screen's kernal to ensure high-speed processing and transparency to the end user and applications. NAT is stateful, which increases the efficiency of lookups in the address translation table by using address hashes and checksum adjustments that use differential checksum calculations.

Both Static and Dynamic NAT is available. Static NAT maps a specific unregistered address to a specific registered address. Static translations can also map a range of unregistered addresses to a range of registered addresses, which requires the number of addresses in each range to match. Dynamic NAT maps a large set of unregistered IP addresses to a smaller set of registered addresses. Dynamic NAT provides external connections for a very large number of hosts to the public Internet using a limited number of registered addresses. Unlike static NAT, which sets up a one-to-one mapping between internal private addresses and external public addresses, dynamic NAT creates a one-to-many mapping where several internal addresses use the same public address. Dynamic NAT avoids IP address conflicts by maintaining a statetable that records several values; like source address, source port, destination address, and destination port, for each TCP, UDP or IP connection.

Centralized management of all the firewalls, central site as well as remote sites, is critical since there is limited resource available on the IT team and travel between sites is very costly. Each firewall's rule base should be stored and updated in one single location and distributed securely to each firewall as needed. Figure 1 shows the proposed location of the firewalls throughout the upgraded network.

With SunScreen Secure Net 3.0, one screen can act as the primary screen for a group of firewalls with common address groups, service groups, user groups, and rules for defining the network configuration. Each individual screen's configuration inherits these common definitions, although the configuration may also be customized through the implementation of rules unique to a specific firewall. Centralized management enables administrators to remotely administer configurations on a group of screens. A centralized management group is made up of a primary screen and a number of secondary screens. The primary screen's function is to push policy configurations to the secondary screens in the centralized management group. An administrator can create a number of centralized management groups, each with different capabilities, rapidly deploying and updating screens at various gateways throughout the organization.

A strong security logging capability and log file analysis with report generation is also required. This capability can be built into the firewall or a separate workstation on the network. It could be a 3rd party product that interfaces with the firewall completely. If an attempted attack or break in occurs and is logged, the firewall should have some mechanism to page a network manager or alert the standard network management platform.

SunScreen Secure Net 3.0 can be configured in the packet filtering rules so that a packet can be logged when it matches, or doesn't match, a particular policy rule criterion. If the applicable rule so specifies, the screen can record a log message or generate an SNMP alert to cause an action, such as a page. If the packet does not match any rule, the screen uses its default action for the interface on which the packet arrived to determine disposition of the packet. Typically, this action logs the packet and drops it, though other options are available.

With Sunscreen Secure Net 3.0, you create a policy which includes rules.

For each rule you can choose different type of actions for the LOG:

- LOG_NONE
- LOG_SUMMARY
LOG_DETAIL

Log data can be viewed in the GUI in historical or real time mode. In historical mode, log activity can be examined for a particular segment, for a particular time. In real time mode, information can be displayed as packets are passing through the screen.

Sunscreen Secure Net 3.0 log information can be exported via a command line interface for post processing and reporting. The log browser uses a language that is a superset of the Solaris snoop packet monitor tool to analyze traffic. Up to 18 different events, for example packet-type or session type, can be captured. Then, up to 14 filters can be applied, for example those events relating to a particular hostname or service.

Happy Pharmaceuticals is expecting to receive a plan that describes the number of firewalls required to meet the above requirements and the recommended configuration of the firewalls. A total cost for the solution is also required as well as the cost of any 3rd party software that the vendor recommends for log file analysis.

Costs and Licensing

Software
Unlimited node license $9995
Workgroup license (up to 100 nodes) $2995

Each license can be installed on 1 machine or on a single HA cluster (including primary and secondary nodes) and includes both Screening and VPN functionallity.

Hardware
For the central site we recommend 2 Ultra 5 workstations at $2495 each, as an HA cluster; for the remote sites we recommend an Ultra 5 for each site.

Totals
Software (assuming remote sites have less than 100 nodes each) $15985
Hardware (assuming HA only required for central site) $ 9980
Overall Total$25965

Figure 1. Happy Pharmaceuticals Proposed Future Network
Figure 2. Happy Pharmaceuticals Proposed Future Network Utilizing VPNs

The RFP
Vendor responses:
  • Axent
  • BorderWare
  • Check Point
  • Cisco
    		•
  • CyberGuard
  • Elron
  • LanOptics
  • Livermore
    		•
  • Lucent
  • NetScreen
  • Radguard
  • Sun

    • RELATED LINKS

    Firewall RFP
    See what the vendors are responding to. Includes links to all the RFP responses.

    Review: Firewalls
    Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.

    Issues and trends
    Where the firewall market is headed and what to look for. Network World, 7/19/99.

    Interactive buyer's guide
    Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.

    Forum: Firewalls
    Post your firewalls questions and discuss their use in this forum.

    Firewalls to the rescue
    Interviews with firewall users. Network World Fusion, 7/19/99.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.