
So the questions that need to be answered before we even hop into what the architectural aspect of such a design become:
1. Firewalls are expensive. How could an organization possibly be able to afford that many firewalled ports?
Answer: The truth is that unless you’ve bound yourself to a particular vendor or technology, there are a number of very good options on the market that can meet this constraint. In some cases the price point for firewalled ports VS non-firewalled ports could actually work out to be less than your typical switch port - if you have an open mind.
2. I don’t know of any firewalls that don’t have the port density that switches do. Are there firewalls that do?
Answer: While I will say that high port density firewalls aren’t going to be part of your typical firewall portfolio, they are out there.Vendors such as Juniper Networks and Fortinet currently have products in their portfolio that can fit the bill. Even Cisco had a product in their FWSM (Firewall Services Module) for the 6500 that gave your Catalyst switch the ability to firewall hundreds of ports.
3. Firewalls add a significant amount of overhead in order for me to be able to manage polices. How could I possibly manage a large environment with firewalls all over the place?
Answer: Central management for products is much more common than it used to be. Many vendors are even starting to offer the ability to manage their products via the cloud as well or through an on premises device. One of the features that these types usually have is the ability to create device templates and push out policies to device groups. In some situations, this could even be faster than making changes in a switch environment.
4. Firewalls are not as fast as switches. Are there firewalls that can give me the throughput and performance that I need?
Answer: Absolutely.Your typical user isn’t going to be in a switching environment where they need to have nano-second latency like on Wall Street. Many of the firewalls that you see today only have a few ยต seconds of latency added for processing firewalled traffic.That is 1/1,000,000ths of a second to process a firewall policy. Typically, when you measure ping latency it’s only going to be in the 1/1,000ths of a second. It’s pretty quick and impressive, to say the least.
Based on those answers, we start to see that being able to architect a secure network solution where security is at the forefront of the architecture and design has become much more feasible than it once was. However, it comes at the cost of being able to allocate the time and resources up front and get all of the required teams collaboratively meeting with each other in order for such a design to be successful. I’ll discuss more of the architectural components of making such a design a bit more of a reality in my next blog.
Great Article blockchain projects for students
ReplyDeleteIEEE Projects for Engineering Students
JavaScript Training in Chennai
Networking Projects
JavaScript Training in Chennai