RE: Firewall performance

[sean.kelly () lanston com]

> From: Sandy Green [mailto:sand232 () yahoo com]
> Subject: Re: Firewall performance
>
>
> Thanks to all those who responded. But actaully
> that does not answer my query. 
> There is a lab report on the checkpoint site about the 
> solaris vs NT performance. 
> fine.... but actaully there are other important factors
> like PCI bus speed of the computer as well, CPU 
> speed ,memory.

Speaking from more of a speculative/theoretical standpoint, there are quite
a number of factors that affect PC-based (a PC being an NT box, Sparc,
whatever) firewall performance.  Products such as the PIX firewall that sits
inside a switch have some of these in common but because of how switches are
designed it's genreally not an issue.  That said, the performance of a
software firewall may depend on these things:

Hardware:

* Speed of the network card(s)
* Number of network cards
* Speed of the underlying data bus (PCI, etc.)
* Speed of the CPU
* Amount of RAM

Software:

* The firewall code itself.  How it was written will to some degree be a
determining factor in how much each of the above issues affect performance.

* The operating system.  Different OSes obviously perform differntly in
comparable areas.  This has to do with things like resource management,
caching, multithreading, etc.

* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have
a sub-par TCP/IP stack as far as performance is concerned.  ie. Max
throughput for a single socket in NT will generally be less than on Solaris,
etc.  The best software in the world can only send and receive data as
quickly as the TCP/IP stack can manage.

* What else is running on the box.  Some people use their firewalls for
other purposes also.  This can affect performance.


You get the idea....  I can't give you any links to performance comparisons
offhand, but here are a few comments:

First, performance comparison would have to be by cost of machine.  Since
architecture differs between Intel-based machines and (say) Sparcs, it would
be difficult to build identical machines to performs tests with.

Second, there will always be SOME barrier to performance, though
configuration and usage will ultimately determine what it is.  If a machine
is servicing a huge amount of traffic, it may bog down in context switching
and bus bandwidth long before it runs out of available RAM.  Ultimately,
this all comes down to a question of need vs. cost: how much performance do
you need and how much are you willing to pay for it?  A smaller company
would probably do fine running FreeBSD or NT and some firewall software.
Cost-justifying some huge piece of hardware would be difficult.  Do you have
someone who can manage it or will you have to hire/train someone? etc.

I used to work at a telco and had a boss who had been in the military.  If
we needed something we bought two of them and had a rule to never exceed 60%
of available resources.  If we hit that mark, we bought more stuff.  A
similar approach can be taken with this.  Buy at least 50% more than you
think you'll need with the expectation that you will probably have to
step-up in the future.  ie. don't lock yourself into one solution just
because it's cheap and gets the job done unless you don't mind having to
completely replace it later.

I don't feel that an in-depth analysis of how different PC hardware
configurations affect firewall performance is ultimately useful.  Sure you
could set up a PC and push a ton of data through it, then switch out CPUs or
add more RAM and do it all again then try a different network card and run
more tests but ultimately what you'll end up with is a measurement of how
various configurations scale against themselves.  PC hardware is cheap and
an OC1 is only 1.54Mbs.  If you're trying to service a considerable amount
of bandwidth then you won't even be in the PC realm anymore anyway.
Purchasing a firewall ultimately comes down to its reliability.  I'd assume
that any solution you can afford will be able to handle the bandwidth you
need.  Especially if you cost-justify vs. a business-halting break-in.  The
big question is will it keep the bad ppl out?


-Sean