Firewall Wizards mailing list archives
Re: Firewall performance
From: Carric Dooley <carric () com2usa com>
Date: Thu, 24 Jun 1999 09:48:26 -0400 (EDT)
In your first posting you appeared to be asking what things besides RAM, CPU and link speed would affect firewall performance. I am still not 100% clear on what kind of data you are after in fact. Of course RAM and CPU make a difference on a firewalls ability to handle a given load, but you will also run into the inherent limitations of the OS or the protocol stack (sometimes before you are even touching what the processor can do, or the RAM can handle, or the before the link is saturated). I have worked with a client that was working with an older firewall (it was I think a 2 year old copy of Gauntlet) and even though they had upgraded to a Sparc 20 with dual CPU's and 256MB of RAM, the response still sucked. There were 2000 users using almost exclusively http, but at certain times of the day you would have to hit refresh several times to get to a web site. The interesting thing is, if you were trying to get to a site to download a large file, when you finally initiated the download, it screamed. Obviously the pipe was far from saturated. I have also seen 2 similarly configured machines handle 10,000 users (running FW-1 v.2.x) and doing a MUCH better job, so it was not a limitation of the hardware in my estimation. Another factor to consider is: What kind of firewall is it? Is it an app proxy or stateful inspection? For an app proxy I would be more concerned with how fast the CPU was. Yes RAM is definatly critical, but I want the fastest damned thing I can find becuase it is tearing down and rebuilding every packet that comes through it. For stateful inspection, I am going to be concerned with CPU, but for a high volume site, I am going to push for a ton of RAM so it can keep all the state information ready and available. I think you are asking "how fast can a car go" or "what do I need to build a house", but withought knowing what your needs are, the answer can only be as vague as the question. Carric Dooley COM2:Interactive Media http://www.com2usa.com On Tue, 22 Jun 1999, Sandy Green wrote:
Thanks to all those who responded. But actaully that does not answer my query. There is a lab report on the checkpoint site about the solaris vs NT performance. fine.... but actaully there are other important factors like PCI bus speed of the computer as well, CPU speed ,memory. The point is that even if the CPU speed is a 500 MHZ pentium and memory is 10 MB , that does not help improve the performance. what the labs do is get a machine from DELL/COMPAQ latest model as shipped by them and perform the tests on them without tailoring the RAM or PCI speed. I have done some tests on a server with 500 MB of RAM ! and there was no significant improvement. I thought that this list would have expereinced such issues in their environments. But unluckily for me I have not got any response from any of the list members. But I would keep persisting.... thanks to all. and please do email me. sandy Date: Thu, 17 Jun 1999 17:58:46 -0700 (PDT) From: Sandy Green <sand232 () yahoo com> Subject: Security conference NETSEC 99 Dear list members, I needed to get some sort of feedback about the recently held Security conference NETSEC 99. All the lucky ones who atteneded this conference would have certainily benefited from it. But for some reason(s) I could not make it. I would greatly appreciate if some of you could share your experiences and learning with me. second. This is about the firewall performance. In my mind these would be the factors for the bastion host performance ( processing the number of packets and taking a decision ) CPU speed, PCI bus speed, Memory,..., and of course the WAN link connectivity speed... any more all thes factors have in turn a direct bearing on each other... just like security as strong as the weakesk link, similarly the processing speed (of the firewall) would be as fast as the slowest parameter( CPU speed, WAN/LAN connectivity speed, PCI bus speed...) Please let me know your views or could point me to resources on the web. Thanks sandy _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- Re: Firewall performance Sandy Green (Jun 23)
- Re: Firewall performance Chris Brenton (Jun 23)
- Re: Firewall performance Lance Spitzner (Jun 23)
- Re: Firewall performance Carric Dooley (Jun 25)
- <Possible follow-ups>
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
- RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
- RE: Firewall performance David C Niemi (Jun 28)
- Re: Firewall performance Darren Reed (Jun 29)
- Re: Firewall performance Mike Shaver (Jun 29)
- Re: Firewall performance Darren Reed (Jun 29)
- RE: Firewall performance David C Niemi (Jun 28)
- RE: Firewall performance David LeBlanc (Jun 28)