Firewall Wizards mailing list archives
RE: Firewall performance
From: sean.kelly () lanston com
Date: Wed, 23 Jun 1999 17:20:51 -0400
From: Sandy Green [mailto:sand232 () yahoo com] Subject: Re: Firewall performance Thanks to all those who responded. But actaully that does not answer my query. There is a lab report on the checkpoint site about the solaris vs NT performance. fine.... but actaully there are other important factors like PCI bus speed of the computer as well, CPU speed ,memory.
Speaking from more of a speculative/theoretical standpoint, there are quite a number of factors that affect PC-based (a PC being an NT box, Sparc, whatever) firewall performance. Products such as the PIX firewall that sits inside a switch have some of these in common but because of how switches are designed it's genreally not an issue. That said, the performance of a software firewall may depend on these things: Hardware: * Speed of the network card(s) * Number of network cards * Speed of the underlying data bus (PCI, etc.) * Speed of the CPU * Amount of RAM Software: * The firewall code itself. How it was written will to some degree be a determining factor in how much each of the above issues affect performance. * The operating system. Different OSes obviously perform differntly in comparable areas. This has to do with things like resource management, caching, multithreading, etc. * The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have a sub-par TCP/IP stack as far as performance is concerned. ie. Max throughput for a single socket in NT will generally be less than on Solaris, etc. The best software in the world can only send and receive data as quickly as the TCP/IP stack can manage. * What else is running on the box. Some people use their firewalls for other purposes also. This can affect performance. You get the idea.... I can't give you any links to performance comparisons offhand, but here are a few comments: First, performance comparison would have to be by cost of machine. Since architecture differs between Intel-based machines and (say) Sparcs, it would be difficult to build identical machines to performs tests with. Second, there will always be SOME barrier to performance, though configuration and usage will ultimately determine what it is. If a machine is servicing a huge amount of traffic, it may bog down in context switching and bus bandwidth long before it runs out of available RAM. Ultimately, this all comes down to a question of need vs. cost: how much performance do you need and how much are you willing to pay for it? A smaller company would probably do fine running FreeBSD or NT and some firewall software. Cost-justifying some huge piece of hardware would be difficult. Do you have someone who can manage it or will you have to hire/train someone? etc. I used to work at a telco and had a boss who had been in the military. If we needed something we bought two of them and had a rule to never exceed 60% of available resources. If we hit that mark, we bought more stuff. A similar approach can be taken with this. Buy at least 50% more than you think you'll need with the expectation that you will probably have to step-up in the future. ie. don't lock yourself into one solution just because it's cheap and gets the job done unless you don't mind having to completely replace it later. I don't feel that an in-depth analysis of how different PC hardware configurations affect firewall performance is ultimately useful. Sure you could set up a PC and push a ton of data through it, then switch out CPUs or add more RAM and do it all again then try a different network card and run more tests but ultimately what you'll end up with is a measurement of how various configurations scale against themselves. PC hardware is cheap and an OC1 is only 1.54Mbs. If you're trying to service a considerable amount of bandwidth then you won't even be in the PC realm anymore anyway. Purchasing a firewall ultimately comes down to its reliability. I'd assume that any solution you can afford will be able to handle the bandwidth you need. Especially if you cost-justify vs. a business-halting break-in. The big question is will it keep the bad ppl out? -Sean
Current thread:
- Re: Firewall performance Sandy Green (Jun 23)
- Re: Firewall performance Chris Brenton (Jun 23)
- Re: Firewall performance Lance Spitzner (Jun 23)
- Re: Firewall performance Carric Dooley (Jun 25)
- <Possible follow-ups>
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
- RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
- RE: Firewall performance David C Niemi (Jun 28)
- Re: Firewall performance Darren Reed (Jun 29)
- Re: Firewall performance Mike Shaver (Jun 29)
- Re: Firewall performance Darren Reed (Jun 29)
- RE: Firewall performance David C Niemi (Jun 28)
- RE: Firewall performance David LeBlanc (Jun 28)