RE: RE: High Speed Firewalls

["David Newman" <dnewman () networktest com>]

> with a firewall being in the way.  I continue to assert that for
> whatever the
> upper bound is on network throughput, it is possible to put a big badass
> firewall in the way, and with sufficient memory and computes in
> the firewall,
> run that puppy at the same *throughput* as the un-mediated line.

This is a slightly different point than what was stated earlier (e.g.,
line-speed application throughput is possible), but on this latter point I
am in complete agreement. In fact, being in the benchmarking biz, I have a
very strong interest in seeing this happen.

> Consider an analogy to the New Jersey Turnpike:

Er, considering the amount of contraband that comes up the NJT, I'm not sure
this is the most appropriate analogy for firewalls! or perhaps it is :(

>    * if the power of the toll both is sufficient, then all
> cars/packets get
>      their own booth upon arrival, and throughput is not affected

Cars slow down when approaching and toll booth speed up going away from it,
and that affects their "throughput." Ditto packets traversing firewalls.

On some highways in Colorado (and probably elsewhere, but this is where I
saw them) cars with toll passes pass through tollbooths *at speed.* I'd love
to see something like this applied to firewalls. However, all the
implementations I'm aware of today do some kind of slow-path
inspection/learning/path selection before setting up a high-speed flow.

dn