Re: RE: High Speed Firewalls

[Crispin Cowan <crispin () wirex com>]

David Newman wrote:

> > > Cars slow down when approaching and toll booth speed up going
> > away from it,
> > > and that affects their "throughput." Ditto packets traversing firewalls.
> >
> > Not if the acceleration lanes are wide enough:  20 lanes of
> > traffic moving at
> > 10 MPH has the same throughput as 5 lanes of traffic moving at 40 MPH.
> > Similarly, a "full speed" firewall may need to have several NICs
> > on each side.
> > Parallelism solves many throughput problems, but rarely benefits latency
> > (except for reduced queue length).
>
> Eh? Here the analogy breaks. Regardless of the number of lanes, ALL the
> cars/packets were going 65 mph before they hit the toll booth/firewall. You
> need a hell of a lot of parallelism to make up for that.

You need a precisely measurable amount of parallelism to handle that.  If the
cars go from 65 MPH to 6.5 MPH (on average through the toll gate) then you need
to go from 2 lanes to 20 lanes.  Is that "a hell of a lot"?  Sure, it's more
than most toll plazas that I've ever seen, but most traffic authorities are not
so concerned with throughput that they will engineer a full-bandwidth toll
plaza under peak load.

Similarly, most firewall vendors/customers are not so concerned with throughput
that they will pay the (substantial) cost of a machine with enough
computes/parallelsim to do sophisticated inspection at full network bandwidth.
So it's rare and expensive, but not impossible

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html