Firewall Wizards mailing list archives
Re: RE: High Speed Firewalls
From: Crispin Cowan <crispin () wirex com>
Date: Tue, 14 Mar 2000 00:53:04 +0000
David Newman wrote:
* if the power of the toll both is sufficient, then all cars/packets get their own booth upon arrival, and throughput is not affectedCars slow down when approaching and toll booth speed up going away from it, and that affects their "throughput." Ditto packets traversing firewalls.
Not if the acceleration lanes are wide enough: 20 lanes of traffic moving at 10 MPH has the same throughput as 5 lanes of traffic moving at 40 MPH. Similarly, a "full speed" firewall may need to have several NICs on each side. Parallelism solves many throughput problems, but rarely benefits latency (except for reduced queue length).
On some highways in Colorado (and probably elsewhere, but this is where I saw them) cars with toll passes pass through tollbooths *at speed.* I'd love to see something like this applied to firewalls. However, all the implementations I'm aware of today do some kind of slow-path inspection/learning/path selection before setting up a high-speed flow.
Working our analogy some more, this is akin to reducing the compute load on the firewall. "high speed flow" == "low effort flow". Do that as much as you (securely) can. When you can't think of anything else, and you still want it to provide more throughput, then throw parallelism at it.
From a brief glance at the Rainnet web site, it appears that this is what they
do. The art is in how well they do it such that the parallelism actually does deliver enhanced throughput. Poorly placed interlocks (think of pipelined CPUs or SIMD computers) can reduce a very parallel machine to its sequential speed. At this point we return to actual benchmarking of products, where I ascede to Newman's benchmarking experience. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- Re: High Speed Firewalls, (continued)
- Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Saravana Ram (Mar 23)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- Re: Re: High Speed Firewalls Dug Song (Mar 13)
- RE: RE: High Speed Firewalls David Newman (Mar 17)