In article , wrote: :I'm looking at bringing a backup server from the DMZ into the LAN. I :need something to put between the DMZ clients and the server to protect :it while giving me the best throughput possible. I'd be happy with :extended access-lists, and so have been looking at an L3 switch.
:Is it possible to configure extended access-lists that would allow the :backup server to communicate with the clients in the DMZ, which :protecting the internal network in case the backup server is :compromised?
Not really, but 'reflexive' access-lists come much much closer.
:I am still exploring whether the client attempts to :initiate a session on a random port (a la ftp) or whether its a pure :pull.
What throughput do you need? "best possible" could get pretty expensive by the time you get into the petabit per second range.
:What are my alternatives?
PIX 506E and up are rated at 100 Mbit/s cleartext or better.
The x8xx routers have line-rate packet inspection, but the 'line' is only small multiples of T1 speed in the lower end of the line.
There is a new line of security appliances that I haven't had a look at.
The 3600 series -above- the 3640 can handle 100 Mbit/s; if your traffic occurs in long streams, then there might not be much traffic inspection needed, so any slowdowns from CBAC might not be of importance.
The Cat 3560 and Cat 3750 multilayer switch can do gigabit on multiple ports, but I don't recall that they support reflexive ACLs, just extended ACLs. They weren't designed as security devices per se.