Firewall Wizards mailing list archives
RE: Firewall Throughput
From: "JVBrown" <jvbrown () gte net>
Date: Tue, 12 Sep 2000 21:55:31 -0400
perhaps Mr. Moderator is busying for Interop, as this thread has got some of our heads spinning. omo... subject line is "firewall throughput" ...perhaps this thread should read "Pix functionality". While the discussion is quite architecturally esoteric, the subject line was lost messages ago. A discussion thread on firewall throughput that does not include a single reference to NetScreen NS100 and NS1000 security, performance and value leadership position isn't representative. The NS1000 specifications are as follows...these are the industry standards in FW Throughput. Ø 1Gb/s stateful-inspection NAT firewall Ø 1Gb/s 3DES VPN Ø 25k IPSec tunnels Ø 500 k concurrent sessions Ø 40k access screening policies Ø VLAN 802.1q Tag support Ø Full ICSA Certification Ø Multi-tenant 100 virtual systems within a system Ø High Availability Ø Full Redundancy NS100 slouch(not) ... 100Mb NAT, >70Mb 3DES, HA, ~200k concurrent, 25k connections/second, etc. If throughput is the singular design objective, and rock-solid security isn't a factor, about the only solution faster would be a wire itself, or some infrastructure device with ACL. YMMV, jvbrown
-----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Patrick Darden Sent: Tuesday, September 12, 2000 10:15 AM To: Darren Reed Cc: darren.mackay () uq net au; firewall-wizards () nfr net Subject: Re: [fw-wiz] Firewall Throughput On Tue, 12 Sep 2000, Darren Reed wrote:"Cisco push it along the lines of 'you don't want unix/windows on your firewall because they're crashable'" I would like to know where they state that. It would be pretty hypocritical as the PIX has a Unix based OS (Plan 9).http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm Look for the words "Non-Unix" (strictly speaking, this *is* true even if it is Plan 9).Hmmm, the PIX is similar to the Nokia FW1 boxes in that they are hardened Unix derivatives, cut to the quick, performance enhanced, with ip filtering, stateful connection monitoring, and packet inspection. I find it interesting that they intimate bad things about Unix's security and performance, but only flat out state bad things about general purpose operating systems: "This design eliminates the risks associated with a general purpose operating system... (allowing the pix) to deliver outstanding performance". They are walking a fine line here. I would venture to say that they have even crossed it.They're different, they need a marketting angle, they drive it."You damn well don't want a router as a firewall" I don't know of many firewalls that aren't routers as well,that includesthe IP Filter you seem to like so much and even the BSD-based NOKIA running Checkpoint FW1. Application-layer proxy basedfirewalls usuallyaren't routers, but otherwise...Router = thing which tftp's boot images, does BGP4, has no harddisk, etc.Or to put it more succinctly in this thread, a Cisco 1234 thing.That is not a good definition of a router. Routers do not have to boot via tftp, and they don't do it by default. Routers don't even have to use BGP4. The RFPs that define routers don't really mention any of this.... I know I am just being picky--you were just letting off steam.and likewise you shouldn't use routers to do firewalling when you're serious about firewalling.I think we agree here, but I'll be picky again. Firewalls on routers have their place. I believe in a multi-layered approach to security, and the first layer is having a well protected router that provides ingress/egress filtering (e.g. to prevent DDOS). They certainly should not be solely relied upon.If I'm really serious about security then I *will* use/recommend a proxy firewall, even in addition to anything else which is there. There are some things they offer which just can't be matched, in terms ofsecurity,by any packet-filtering based firewall.Again, I think we agree. An application proxy on a hardened host, behind a good stateful packet filter, is a tremendous security boost.Do yourself a favour and stay ignorant of the development methodology that goes on "behind the scenes" with Linux. What are they now, 2.4.pre34-test83, and still making major architectural changesinside it.That's *insane*. Sure, Solaris is stable, but you can't strap it down as securely as you can BSD, plus you get source code for BSD.I'm aware of the procedure, and I also know that Linus put a freeze on new features months ago. He does not make major new architectural changes to the betas, and very rarely to the alphas. I agree that BSD is a great Unix. However, I am not holy enough to state it is the best, and I really try to stay out of these religious debates. -- -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Lucent Managed Firewall, (continued)
- Re: Lucent Managed Firewall Graham Allan (Sep 07)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- RE: Firewall Throughput Darren Mackay (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 12)
- Re: Firewall Throughput Darren Reed (Sep 13)
- Vague Negative Blah Patrick Darden (Sep 14)
- Re: Firewall Throughput Ryan Russell (Sep 14)
- RE: Firewall Throughput JVBrown (Sep 13)
- RE: Firewall Throughput Robert Purdy (Sep 13)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- RE: Firewall Throughput Chris Cappuccio (Sep 14)
- Re: Firewall Throughput Christopher Nielsen (Sep 13)
- Re: Firewall Throughput Patrick Darden (Sep 14)
- Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)