Firewall Wizards mailing list archives
RE: High Speed Firewalls
From: "David Newman" <dnewman () networktest com>
Date: Tue, 7 Mar 2000 15:39:54 -0500
This does not follow. The overhead for the firewall will impose additional end-to-end latency (i.e. increasing ping times) but does not necessarily throttle throughput. Imagine a theoretical deeply pipelined firewall that can simultaneously process several packets in different stages. This is analagous to deeply pipelined CPUs that execute instructions that each take 5 clocks to execute, but none the less can complete one instruction per clock cycle. The firewall imposes latency, but most certainly can ingest and eject packets at line rates. Caveat: this is just picking on the above claimed theoretical limitation. Actual firewall rates are a matter for performance metrics. Continuing the above pipelined CPU analogy, 1 instruction per clock is an ideal that is hard to achieve in practice, and achieving line-rate throughput in a firewall is likely to be hard. Possible, but hard.
We may be talking at cross-purposes here. I agree fully with what you say here, but I was making a different point. My contention is that it is not possible to ftp a 12.5-Mbyte (100-Mbit) file through a firewall with 100Base-T interfaces in 1 second, even though the interfaces are theoretically capable of moving traffic at that rate. Even a perfect firewall will still have to deal with packet headers, TCP connection setup and tear down, and its own inspection engine -- and all that pushes us over our 1-second budget. Ergo, there's no such thing as "line-rate" throughput from an application perspective. Any claim that a firewall does so (and I've heard several such claims) is a lie. This is a different issue than measuring bits on the wire, as we do when we benchmark switch or router performance. Of course there are firewalls that can saturate a 100Base-T link, full duplex; I've tested several of these. But they don't, and can't, push application data or even TCP at "line rate." Apologies if I didn't state this clearly earlier: We have to be mindful of what layer we're measuring from with firewalls, given their L4/L7 capabilities. David Newman Network Test
Current thread:
- Re: personal firewalls, (continued)
- Re: personal firewalls Rick Murphy (Mar 21)
- Re: personal firewalls elad (Mar 21)
- Re: High Speed Firewalls Mike Barkett (Mar 07)
- Re: High Speed Firewalls Bennett Todd (Mar 07)
- Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)