Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Firewall performance

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 23 Jun 1999 20:57:43 -0400
* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have
a sub-par TCP/IP stack as far as performance is concerned.  ie. Max
throughput for a single socket in NT will generally be less than on Solaris,
etc.  The best software in the world can only send and receive data as
quickly as the TCP/IP stack can manage.


Depends on whether or not it's a proxy firewall or a filter. A
lot of the vendors that make NT-based firewalls access data just
above NDIS, then make a go/no-go decision at that point. Doing
that eliminates NT's IP stack entirely. Same applies for a Checkpoint
running on Solaris - the IP stack only comes into play when a
packet is permitted up the stack to the machine itself (which is
usually a bad idea!)

Some of the NT firewalls perform pretty well, in fact, since
NT is really just acting as a GUI and program loader/filesystem
while the firewall itself is basically a kernel mode device
driver.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
Previous By Date Next
Previous By Thread Next

Current thread: