Hello,
I'm brainstorming about a setup we will have to figure out soon. We have a streaming network currently that sits on N5K's.
The incoming internet line is 4* 40Gbps, this is terminated on N5K's. The hosts are also connected into that network (streaming servers) and are secured with IP Tables. There is no FW cluster nor services active in this network.
The idea is to modernize this setup. The challenges we face are quite simple:
Incoming speed is 40Gbps, if we want to talk serious about security we'll need traffic filtering in some sort. But the flow of the traffic will not be 40Gps inbound, but more outbound. The endpoint on the internet will ask to setup a session and our network will have to respond with the bandwidth.
I know there is a setup that exists (I've seen it in the past before) with triangle routing, you filter the incoming request (which is not at 40Gbps), you respond (allow/block) and then route the traffic to the endpoint. But the routing is not done via the firewall due to the massive requirement of 40Gbps.
I haven't been that active in the Firewall world to know if anything in the product line of Palo Alto/F5/... can offer this solution. A potential problem I see is: What if the incoming stream request needs to be encrypted?
Potentially I could setup an ACI fabric (single small pod) and deal with the bandwidth requirement (40Gbps) but it will only be able to offer basic FW (ACL), I'll have to look into PBR but I think the encryption of the stream will still pose a massive issue.
Anyone been in touch with these kinds of designs?
No comments:
Post a Comment