Firewall Wizards mailing list archives
Re: High Speed Firewalls
From: "David Newman" <dnewman () networktest com>
Date: Sun, 5 Mar 2000 21:12:03 -0500
1. (obligatory mathematical note from an ex math professor) The rainwall actually scales sublinearly. Each machine (tries to) talk to every other machine, and there are election rules and etc. That sort of overhead increases as the square of the number of firewalls, and so at some point, the complexity of that computation would start getting significant. (end obligatory math note)
(obligatory note from a lab rat) Amplifying on Woody's comment, scaling is only one of several issues that may hamper firewall performance. Another issue is the traffic types the firewall handles. Benchmarking performance of a firewall is different than benchmarking a router or even some L4-only load balancers. It's not surprising that devices with full-duplex 100Base-T interfaces top out at around 150-170 Mbit/s, regardless of offered load. That may be all that's available for user data, since unlike lower-layer devices, firewalls usually deal with with L3-L7 headers. Perspective matters a LOT here; if you're measuring application-layer throughput (e.g., firewall X can handle Y sessions of ftp at an aggregrate rate of Z Mbit/s) then anyone who claims line-rate performance, even on a totally uncongested network, is lying. That just isn't possible, since all applications carry some overhead and a firewall's inspection routine(s), regardless of architecture, take some nonzero amount of time to complete. It might be valid to calculate a theoretical maximum for application-layer throughput but it will never be the same as line rate. When congestion does exist, Mr. TCP steps in to do his thing, and sliding windows and retransmissions take us further away from line rate. UDP may measure throughput nicely, but it too carries at least some overhead. It's only when we measure raw bits on the wire that we can theoretically hit line rate. I can't think of a more meaningless measurement for a firewall, since presumably the thing we're looking to measure is how quickly the firewall handles application-layer flows. A measurement on the wire of 199 Mbit/s isn't terribly meaningful if 99 percent of that is TCP retransmissions. David Newman Network Test
Current thread:
- Re: High Speed Firewalls, (continued)
- Re: High Speed Firewalls Bennett Todd (Mar 12)
- personal firewalls Randy Grimshaw (Mar 13)
- Re: personal firewalls Rick Murphy (Mar 21)
- Re: personal firewalls elad (Mar 21)
- Re: High Speed Firewalls Mike Barkett (Mar 07)
- Re: High Speed Firewalls Bennett Todd (Mar 07)
- Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)