From owner-freebsd-security Sat Aug 21 0: 3:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 254611505D for ; Sat, 21 Aug 1999 00:03:47 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id AAA15011; Sat, 21 Aug 1999 00:03:43 -0700 (PDT) Date: Sat, 21 Aug 1999 00:03:43 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Wes Peters Cc: freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE44AF.67A392E6@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is starting to drift a bit away, but I'm still saying a FreeBSD machine with a bunch of ethernets is cheaper and more versatile than a switch that can do real firewalling. Granted I will admit the performance will not be gigabit, but for the most part you can filter traffic from one or two DS3s, and most firewalls are between the LAN and WAN. On Sat, 21 Aug 1999, Wes Peters wrote: > Who said anything about layer 2 devices? Both the switches I referred to > are layer 3 devices with a wide range of network services available. The > Xylan box offers Checkpoint FW-1 firewall and advanced routing if you want > to get really involved, though you'll need a model with more RAM and Flash. And I'm sure the checkpoint software is many thousands of dollars, which will raise your port cost quite a bit. And that damn 25/50/unlimited licensesing is not cheap. Unfortunately they did not have prices on the Xylan or Checkpoint site, and web queries with product numbers turned up only checkpoint and xylan pages. > > 4 Port Ethernet cards are less than $500 now so you > > can build the box with a really low per-port cost. The box costs $2000 for > > 8 ports at about $250/port. > > You obviously didn't follow the links. The HP ProCurve I mentioned is $1880 > for 40 switched 10/100 ports with layer 3 functionality and VLAN support. > That's $47 port port, much lower than your $250/port, with a LOT more performance > also. The Tolly Group recently tested it and found it capable of sustaining > full wire speed on all 40 ports. I'll just be your PCI-bus box isn't going > to hit 4 Gbps throughput. Did you read the manual? Not much layer 3 there at all, but it will let you filter based on IP multicast. If you can do more than this, please point me to the page number in the manual. > > Sure there are some switches that do provide extensive filtering and even > > load balancing, but those are a usually a bit more than $250/port. > > Not anymore. The key work is "extensive", nice range of services to filter on, logging, statefull inspection, etc. Cliff -- | Cliff Skolnick | "They that can give up essential liberty to | | Steam Tunnel Operations | obtain a little temporary safety deserve | | cliff@steam.com | neither liberty nor safety." | | http://www.steam.com/ | -- Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message