As food for thought.
We recently implemented 8 VMs on ESX 3.0 on NFS on a filer.
Everything was working fine, but we decided to implement a "Storage VLAN" for ISCSI and NFS traffic.
While getting ready to implement this we discovered that the NFS traffic was traveling on our VMOTION network which was firewalled off by a linux based firewall (IPChains, RHEL 3).
Whats if even more interesting is that this linux based firewall was a VM on another standalone ESX 2.5.4 host running on a PowerEdge 2650 with 4GB RAM with 8 other VMs running.
So the point is - it can work but I doubt it could sustain high throughput.
Jack
Webster, Stetson wrote:
That's a very bad idea and is pointless. A good security implementation will put stuff like that in more outer layers.
Ask how the IDS devices will handle jumbo frames and ask if they can run at near 1Gb/s line-speeds. That's hard to do.
-----Original Message----- From: Nils Vogels [mailto:bacardicoke@gmail.com] Sent: Thursday, March 20, 2008 12:03 PM To: Tom Yates Cc: toasters@mathworks.com Subject: Re: Performance impact of in-lined firewalls/IDS
Hi Tom,
On Thu, Mar 20, 2008 at 3:34 PM, Tom Yates madlists@teaparty.net wrote:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an
adaptive IDS between my filers and my hosts.
Not all iSCSI implementations support routing of iSCSI PDU's, so take that into account while choosing your IDS solution :)
Greets,
Nils
Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.