[unisog] High speed firewalls - Connections per second not bi ts per second

Darden, Patrick S. darden at armc.org
Tue Feb 22 13:20:08 GMT 2005

3 ideas for you: 

1.  Isolate segments and use multiple firewalls.  This gives you the
greatest flexibility, speed, and potential number of connections.
Administration is heightened, but if you use one of those BSD or Linux
firewalls that boots off of a CD or Floppy, updates should be simple--send a
tech, RA, or whatever out to insert and reboot.

2.  Use one firewall, employ active anti-DOS  measures.  E.g.  if more than
500 connections hit the same site in under a minute, drop all of those
connections and refuse any more; additionally, if more than 100 connections
come from the same ip in under a minutes, drop them all and refuse any more.
That should safeguard your network, safeguard the internet from your
network, and provide the CPS you desire.

3.  Surrender and route.

Personally, I would do 1 and 2.

--patrick darden
--internetworking manager
--rhce, ccsa, ccse, ccna, ncre, etc.

More information about the unisog mailing list