RE: RE: High Speed Firewalls

["David Newman" <dnewman () networktest com>]

If the
> cars go from 65 MPH to 6.5 MPH (on average through the toll gate)
> then you need
> to go from 2 lanes to 20 lanes.  Is that "a hell of a lot"?
> Sure, it's more
> than most toll plazas that I've ever seen, but most traffic
> authorities are not
> so concerned with throughput that they will engineer a full-bandwidth toll
> plaza under peak load.

Again, the cars/toll booths thing isn't a good analogy here. I agree that
parallelism can be a big win in performance terms -- but probably not big
enough for the kinds of performance penalties we're facing with firewalls
deployed on networks of, um, interesting sizes and speeds.

Consider, for example, OC-48 (2.4-Gbit/s) links which are common today in
large carrier networks or OC-192 (10-Gbit/s) links that are beginning to
appear. Given current firewall speed limits of ~100 Mbit/s or less in each
direction, we're not talking about 10:1 parallelism -- indeed 1000:1 may be
more like it. This *might* work from a traffic engineering standpoint, but
there's no way any self-respecting ops guy (or gal) will sign off on a
network design that adds 999 more interfaces to manage. And guess what --
some of the optical people expect to see 40-Gbit/s and 80-Gbit/s interfaces
deployed in the next 2-3 years. So we go from 240-fold boosts to 8000-fold
boosts real soon now.

I understand that there are designs being developed that make heavy use of
parallelism, but they'll have to do a lot better than thousandfold increases
in the number of interfaces to get in the door.

dn