Re: Firewall performance

[Robert Graham <robert_david_graham () yahoo com>]

--- Sandy Green <sand232 () yahoo com> wrote:
> Thanks to all those who responded. But actaully
> that does not answer my query. 
> There is a lab report on the checkpoint site about the 
> solaris vs NT performance. 
> fine.... but actaully there are other important factors
> like PCI bus speed of the computer as well, CPU 
> speed ,memory. 

If you are talking about packet filtering/forwarding, then 
current firewalls tend to perform quite a bit beneath the
hardware's capabilities. If you are talking about "proxying"
rather than "routing", then there are some MAJOR architectural
differences between WinNT and Solaris.

Network sevices on UNIX systems are designed from the standpoint
of fork()ing a new process for each connection. This has a huge
performance impact on heavily utilized servers. Therefore, WinNT
was designed from a "multi-thread" point of view rather than
a "multi-process". Thread creation is not only cheaper, you
can further tweak things with thread "pools".

Therefore, if you see a webserver comparison using CGI scripts
(programs that are fork()ed off by the web server), you will
see UNIX systems with a huge lead over WinNT. WinNT's process
creation performance sucks. However, comparisons that recompile
the CGI programs as Microsoft ISAPI filters likewise perform
significantly faster than UNIX plus CGI. 

I know neither Checkpoint's architecture nor the tests you were
referring to. However, if the test dealt with proxies and 
Checkpoint follows the standard UNIX paradigm of fork()ing
processes, you will see a huge performance degradation on WinNT.

In short, a product written for one architecture will run poorly 
on an OS optmized for another architecture.

There is more to this story. You must remember that Microsoft
builds both OS and apps. In particular, Microsoft has built
WinNT to be the perfect app for SQL Server and IIS. Oracle is
doing the same thing, trying to build a single platform that
doesn't have an OS but which is a pure Oracle server. Only with MS,
we get half the SQL Server and think it is an OS named WinNT.

Some of these features are like I/O Completion Ports 
(a multi-threaded variant of select()) and Overlapped I/O. These
features were designed for IIS and SQL Server on multi-CPU
machines. If you have a massively scalable program 
such as a web server, a database server, or a proxying firewall,
then you almost certainly need to use these features as well,
or you won't be getting the performance you otherwise expect.


Rob.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com