Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Info Request: Looking for alternatives in HA/Load balancing firewallsthat are also scalable and modular. . .

From: David Lang <dlang () digitalinsight com>
Date: Fri, 7 Apr 2006 16:52:36 -0700 (PDT)
On Fri, 7 Apr 2006, Keith A. Glass wrote:


scalable. scaleable to what? are you talking an Internet connection where
you have a need for multiple T-1 lines? multiple DS-3 lines? multiple
OC-12 lines? or are you talking local networks where you have 100Mb
ethernet? or gig ethernet? or 10gig ethernet? are you talking just a
couple of these networks or are you talking about dozens of these
networks?


We have initial estimates of 300-500 GB/day in SMTP traffic alone, due to an
application that typically sends data in via SMTP in 2MB bundles.  But they
ALSO want to up the resolution of the graphics inside the bundles, so we've
been told to expect an order of magnitude jump about the time we start
implementing in the 2008-2009 timeframe.  And the data will tend to peak and
valley a lot. . . So, realistically, we're talking an initial traffic of 3-5
TB/day in SMTP alone.
5TB/day is a sustained 60MB/sec (1 1/2 DS-3's or so), given that you have a lot of peaks it's reasonable to say that your peak traffic is 2-3x that value. you are still talking about ~200Mb/sec of traffic.
this is comfortably handled with a P-III intel platform (a Nokia 740 appliance is this amount of power)
Sun has a checkpoint appliance that is Opteron based (defaults to 1.4GHz processors, you can upgrade it) for about $30K. this is a very moderate box by today's standard, but would handle the type of bandwidth requirements you are talking about trivially 


We have multiple OC's coming in, bandwidth isn't the immediate worry, it's
throughput. . .
again I need to ask for definitions. the best overall throughput is generally achieved by spreading the load evenly and running things at max capacity all the time. bandwidth requirements better represent your peak requirements, but I think what you are looking for is responsivness (or low latency). Even with that you should keep in mind that Internet use imposes a latency overhead (cross country is 100ms, a dial-up to the local ISP add 300ms), so you shouldn't let people get worked up about small latencies within your network or your firewalls. On modern hardware even dumb, forking proxies can end up with low enough latency that when added to a moderatly complex network don't add a measurable response to the end-to-end response time of the system. 

David Lang

--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no 
deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
 -- C.A.R. Hoare

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: