Re: Firewall Sizing?

["Darden, Patrick S." <darden () armc org>]

Paul,

This is an incredibly complex question, that I don't think has an easy answer.  Major factors (in *generally* 
desdending order of importance):

1.  # concurrent sessions (this is more and more important the more your firewall does: layer 3, stateful, packet 
inspection, app proxy, anti-malware, vpn endpoints, ssl endpoints, etc.)
2.  bandwidth.
3.  # rules.
4.  complexity of rules.
5.  depth of the firewall--e.g. is it just layer 3 or is it doing application proxying as well?  Does it also scan for 
malware?  Even if it is only layer 3 is it stateful, is it doing packet inspection, is it doing protocol sanity 
checking?
6.  is it doing encryption, e.g. a VPN endpoint.  3DES takes a lot more cpu than AES.  etc.
7.  you should match the hardware it is running on to the depth of the firewall; e.g. if you are doing app proxying, 
virus checking, and stateful packet inspection, then you should have multiple CPUs.  If your rule base is large and 
stateful, and/or you are using several services such as VPN and app proxy, then you will need more RAM.  Etc.
8.  is it doing a lot of routing as well?
9.  Is the hardware dedicated/accelerated in any way--e.g. using ASICS for ROSM, thus making extensive routing less of 
an issue (e.g. for a WAN firewall with hundreds of networks attached).

My best advice to you is to get a unit and test it in a lab under worst case conditions (take what you have and double 
it--# connections, # rules, etc.).  In lieu of that--over-purchase.  You don't want to do a major upgrade and then have 
to do it again due to performance issues.

--p

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Paul
Hutchings
Sent: Thursday, June 26, 2008 1:59 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Firewall Sizing?


How do you go about sizing a firewall?

I ask both generally and specifically.  Right now I need to replace  
an existing ISA server, and top of the list is a Secure Computing  
Sidewinder (those Palo Alto boxes look nice but they're just too much  
$$$ to go beyond looking at the features on the website :-)).

Anyway, as with most vendors there's a number of models and a number  
of specs that vary as you move up the range - throughput, max  
sessions, recommended users etc.

In our case I suspect we're a bit of an oddity, as we have a fat  
internet pipe and a few hundred users, but not all have full internet  
access and there's very little in the way of concurrent access (I  
think the most concurrent sessions I've ever seen was around 3000 and  
that depends on the vendors idea of a session).

Because of this, with most vendors I'm thinking of our situation and  
on paper 9/10 times the low end units appear suitable, the vendors  
seem to simply hear "few hundred users" and "fat internet pipe" and  
try and persuade me I need the higher end models.

What puts the most load on a modern firewall such as a Sidewinder, is  
it sheer throughput, is it keeping track of X sessions to/from Y  
clients and so on?

I'd appreciate any thoughts/input on how you go about sizing/speccing  
these things if you don't have the budget to simply buy a the mid to  
top range unit.

cheers,
Paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards