Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [RE: RE: High Speed Firewalls]

From: James Vaughn <j.vaughn () usa net>
Date: 21 Mar 00 21:31:06 CST

I've avoided this thread since its early stages of, "My network is
bigger/faster than yours!", but...

[TCP] packets will travel through the 'bandwidth' path at the best 'rate'
available -- whether on analog, digital, or optical wavelengths...  Electrons
only move so fast through any medium.  The analogy of "packets" to "cars on a
highway" is great when trying to explain, roughly, how 'bandwidth' works to
the layman (laywoman?...) -- in theory.  In reality, it's not sufficient.

"Bottlenecks" are often compared to toll-booths on the highway... 
Unfortunately, the joe-average (or jane-average) router / firewall doesn't
typically have 12 processors [read: 12 booth operators on the highway toll
system.]  Most routers / firewalls have /one/ processor.

In terms of raw physics, I don't know of /any/ "single proc" system (routers
and other "hardware solutions" have processors...) that can handle more than
one calculation at a time -- even if it only takes a nano-second.  (MIPS,
"millions of instructions per second", being an antiquated term nowadays,
aside...)

In the United States, at least, HiCAP lines/pipes beyond the trunked variety
(T1, T3) and subscriber lines (a/s/xDSL, DS3, etc.) are not commonly available
for sale -- there's only so many "backbones" available...  I.e., Joe/Jane
SysAdmin from XYZ.Com can't just call up a local Bell company and say, "Yeah,
we'd like an OC-3, please."

Thus, effectively, the /most/ any individual or company can "purchase" or have
"in house" for bandwidth is, for all intensive purposes, a ~45 MBit/Sec
provider line.  Far as I know, you can't typically MUX trunked 1s or 3s as you
can ISDN or POTS lines...

45 MB/s MAXIMUM 'throughput', NOT including (typical in most networking
environments not 'optimized'):
  * broadcast traffic (NetBIOS, UNC & WINS, DNS, etc.)
  * authentication (Posix-SAMBA, PDC/BDC Replication, Logins, etc.)
  * failed/retry SYN/AWKs (Garbled headers, failed encryption keys, etc.)
  * HUB traffic (collisions, topology restrictions, etc.)
  * Layer-1 Failures (Un-shielded cable, Proc/Mem Overruns, etc.)
  * Misc. Congestion (blind probes, spam, non-RFC compliant traffic, etc.)
  * Shroedinger's failures (Laws of Physics, etc.)
  * Inefficient Configuration (of ACL's, Conduits, rTables, etc.)
  * etc...

Result is a substantially lessened, "cars down the road" throughput than
'optimal' conditions would typically imply.  No, I haven't "tested" any of
this in a "dedicated" environment -- time is more valuable than the obvious,
which is:

*  For an overwhelming majority of companies, individuals, and resources,
"High Speed" anything is limited to a realistic maximum of approximately
~40MB/s of throughput -- under the best of conditions.  And that's assuming
destinations to which any network traffic is sent meets similar conditions and
qualifications.

If you run NetOps for Amazon.Com or AltaVista.Com, it's [obviously] a
different story.  For most of "us", however, it's a completely moot
discussion.

Firewalls are for protection -- routers are for traffic control & direction. 
Protection implies 'keeping others out' and, therefore, assumes that we're
talking about "High Speed" firewalls for the purpose of internal -> ! <-
external traffic control -- i.e., NOT that frame relay between your home
office and its satellite location, or VPN solutions for remote users, or
(s)NAT for the h3ll of it...

Having a GBEthernet-capable LAN (switches, no hubs at all, plenum-shielded
cables, load balancing, etc.) means absolutely /NOTHING/ in terms of
THROUGHPUT / BANDWIDTH communication with the OUTSIDE world -- i.e., the
Internet -- to most internet-enabled companies in the world.  Your
inbound/outbound traffic efficiency will be /better/ as a result of more
tightly organized infrastructure, but the MAXIMUM throughput isn't going to
increase as a result of 100MB switches on your LAN...

I'm sure I'll regret this email response tomorrow, but this "High Speed
Firewalls" thread has gone beyond its topic/subject...  Give any ONE of us on
this discussion list unlimited funds & time, and we'll all [individually] work
up the best d@mn, fastest, coolest-looking network you've ever seen!  But,
realistically, what does this thread [now] have to do with nfr / firewall
security?

Anyway, regards...

- James D Vaughn


"David Newman" <dnewman () networktest com> wrote:



Cars slow down when approaching and toll booth speed up going

away from it,

and that affects their "throughput." Ditto packets traversing

firewalls.


Not if the acceleration lanes are wide enough:  20 lanes of
traffic moving at
10 MPH has the same throughput as 5 lanes of traffic moving at 40 MPH.
Similarly, a "full speed" firewall may need to have several NICs
on each side.
Parallelism solves many throughput problems, but rarely benefits latency
(except for reduced queue length).


Eh? Here the analogy breaks. Regardless of the number of lanes, ALL the
cars/packets were going 65 mph before they hit the toll booth/firewall. You
need a hell of a lot of parallelism to make up for that.

dn



____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
Previous By Date Next
Previous By Thread Next

Current thread: