Firewall Wizards mailing list archives
RE: Firewall performance
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 23 Jun 1999 20:57:43 -0400
* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have a sub-par TCP/IP stack as far as performance is concerned. ie. Max throughput for a single socket in NT will generally be less than on Solaris, etc. The best software in the world can only send and receive data as quickly as the TCP/IP stack can manage.
Depends on whether or not it's a proxy firewall or a filter. A lot of the vendors that make NT-based firewalls access data just above NDIS, then make a go/no-go decision at that point. Doing that eliminates NT's IP stack entirely. Same applies for a Checkpoint running on Solaris - the IP stack only comes into play when a packet is permitted up the stack to the machine itself (which is usually a bad idea!) Some of the NT firewalls perform pretty well, in fact, since NT is really just acting as a GUI and program loader/filesystem while the firewall itself is basically a kernel mode device driver. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Firewall performance Sandy Green (Jun 23)
- Re: Firewall performance Chris Brenton (Jun 23)
- Re: Firewall performance Lance Spitzner (Jun 23)
- Re: Firewall performance Carric Dooley (Jun 25)
- <Possible follow-ups>
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
- RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
- RE: Firewall performance David C Niemi (Jun 28)
- Re: Firewall performance Darren Reed (Jun 29)
- Re: Firewall performance Mike Shaver (Jun 29)
- Re: Firewall performance Darren Reed (Jun 29)
- RE: Firewall performance David C Niemi (Jun 28)
- RE: Firewall performance David LeBlanc (Jun 28)