Firewall Wizards mailing list archives
Re: [RE: RE: High Speed Firewalls]
From: James Vaughn <j.vaughn () usa net>
Date: 21 Mar 00 21:31:06 CST
I've avoided this thread since its early stages of, "My network is bigger/faster than yours!", but... [TCP] packets will travel through the 'bandwidth' path at the best 'rate' available -- whether on analog, digital, or optical wavelengths... Electrons only move so fast through any medium. The analogy of "packets" to "cars on a highway" is great when trying to explain, roughly, how 'bandwidth' works to the layman (laywoman?...) -- in theory. In reality, it's not sufficient. "Bottlenecks" are often compared to toll-booths on the highway... Unfortunately, the joe-average (or jane-average) router / firewall doesn't typically have 12 processors [read: 12 booth operators on the highway toll system.] Most routers / firewalls have /one/ processor. In terms of raw physics, I don't know of /any/ "single proc" system (routers and other "hardware solutions" have processors...) that can handle more than one calculation at a time -- even if it only takes a nano-second. (MIPS, "millions of instructions per second", being an antiquated term nowadays, aside...) In the United States, at least, HiCAP lines/pipes beyond the trunked variety (T1, T3) and subscriber lines (a/s/xDSL, DS3, etc.) are not commonly available for sale -- there's only so many "backbones" available... I.e., Joe/Jane SysAdmin from XYZ.Com can't just call up a local Bell company and say, "Yeah, we'd like an OC-3, please." Thus, effectively, the /most/ any individual or company can "purchase" or have "in house" for bandwidth is, for all intensive purposes, a ~45 MBit/Sec provider line. Far as I know, you can't typically MUX trunked 1s or 3s as you can ISDN or POTS lines... 45 MB/s MAXIMUM 'throughput', NOT including (typical in most networking environments not 'optimized'): * broadcast traffic (NetBIOS, UNC & WINS, DNS, etc.) * authentication (Posix-SAMBA, PDC/BDC Replication, Logins, etc.) * failed/retry SYN/AWKs (Garbled headers, failed encryption keys, etc.) * HUB traffic (collisions, topology restrictions, etc.) * Layer-1 Failures (Un-shielded cable, Proc/Mem Overruns, etc.) * Misc. Congestion (blind probes, spam, non-RFC compliant traffic, etc.) * Shroedinger's failures (Laws of Physics, etc.) * Inefficient Configuration (of ACL's, Conduits, rTables, etc.) * etc... Result is a substantially lessened, "cars down the road" throughput than 'optimal' conditions would typically imply. No, I haven't "tested" any of this in a "dedicated" environment -- time is more valuable than the obvious, which is: * For an overwhelming majority of companies, individuals, and resources, "High Speed" anything is limited to a realistic maximum of approximately ~40MB/s of throughput -- under the best of conditions. And that's assuming destinations to which any network traffic is sent meets similar conditions and qualifications. If you run NetOps for Amazon.Com or AltaVista.Com, it's [obviously] a different story. For most of "us", however, it's a completely moot discussion. Firewalls are for protection -- routers are for traffic control & direction. Protection implies 'keeping others out' and, therefore, assumes that we're talking about "High Speed" firewalls for the purpose of internal -> ! <- external traffic control -- i.e., NOT that frame relay between your home office and its satellite location, or VPN solutions for remote users, or (s)NAT for the h3ll of it... Having a GBEthernet-capable LAN (switches, no hubs at all, plenum-shielded cables, load balancing, etc.) means absolutely /NOTHING/ in terms of THROUGHPUT / BANDWIDTH communication with the OUTSIDE world -- i.e., the Internet -- to most internet-enabled companies in the world. Your inbound/outbound traffic efficiency will be /better/ as a result of more tightly organized infrastructure, but the MAXIMUM throughput isn't going to increase as a result of 100MB switches on your LAN... I'm sure I'll regret this email response tomorrow, but this "High Speed Firewalls" thread has gone beyond its topic/subject... Give any ONE of us on this discussion list unlimited funds & time, and we'll all [individually] work up the best d@mn, fastest, coolest-looking network you've ever seen! But, realistically, what does this thread [now] have to do with nfr / firewall security? Anyway, regards... - James D Vaughn "David Newman" <dnewman () networktest com> wrote:
Cars slow down when approaching and toll booth speed up goingaway from it,and that affects their "throughput." Ditto packets traversing
firewalls.
Not if the acceleration lanes are wide enough: 20 lanes of traffic moving at 10 MPH has the same throughput as 5 lanes of traffic moving at 40 MPH. Similarly, a "full speed" firewall may need to have several NICs on each side. Parallelism solves many throughput problems, but rarely benefits latency (except for reduced queue length).Eh? Here the analogy breaks. Regardless of the number of lanes, ALL the cars/packets were going 65 mph before they hit the toll booth/firewall. You need a hell of a lot of parallelism to make up for that. dn
____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- Re: [RE: RE: High Speed Firewalls] James Vaughn (Mar 21)
- RE: [RE: RE: High Speed Firewalls] David Newman (Mar 21)