Firewall Wizards mailing list archives

Re: High Speed Firewalls

From: "David Newman" <dnewman () networktest com>
Date: Sun, 5 Mar 2000 21:12:03 -0500

1.  (obligatory mathematical note from an ex math professor) The
rainwall actually scales sublinearly.  Each machine (tries to) talk to
every other machine, and there are election rules and etc.  That sort of
overhead increases as the square of the number of firewalls, and so at
some point, the complexity of that computation would start getting
significant. (end obligatory math note)


(obligatory note from a lab rat)

Amplifying on Woody's comment, scaling is only one of several issues that
may hamper firewall performance. Another issue is the traffic types the
firewall handles.

Benchmarking performance of a firewall is different than benchmarking a
router or even some L4-only load balancers.

It's not surprising that devices with full-duplex 100Base-T interfaces top
out at around 150-170 Mbit/s, regardless of offered load. That may be all
that's available for user data, since unlike lower-layer devices, firewalls
usually deal with with L3-L7 headers.

Perspective matters a LOT here; if you're measuring application-layer
throughput (e.g., firewall X can handle Y sessions of ftp at an aggregrate
rate of Z Mbit/s) then anyone who claims line-rate performance, even on a
totally uncongested network, is lying. That just isn't possible, since all
applications carry some overhead and a firewall's inspection routine(s),
regardless of architecture, take some nonzero amount of time to complete. It
might be valid to calculate a theoretical maximum for application-layer
throughput but it will never be the same as line rate.

When congestion does exist, Mr. TCP steps in to do his thing, and sliding
windows and retransmissions take us further away from line rate. UDP may
measure throughput nicely, but it too carries at least some overhead.

It's only when we measure raw bits on the wire that we can theoretically hit
line rate. I can't think of a more meaningless measurement for a firewall,
since presumably the thing we're looking to measure is how quickly the
firewall handles application-layer flows. A measurement on the wire of 199
Mbit/s isn't terribly meaningful if 99 percent of that is TCP
retransmissions.

David Newman
Network Test

Current thread:

Re: High Speed Firewalls, (continued)
- - - Re: High Speed Firewalls Bennett Todd (Mar 12)
    - personal firewalls Randy Grimshaw (Mar 13)
    - Re: personal firewalls Rick Murphy (Mar 21)
    - Re: personal firewalls elad (Mar 21)
    - Re: High Speed Firewalls Mike Barkett (Mar 07)
    - Re: High Speed Firewalls Bennett Todd (Mar 07)
    - Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
    - Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
    - Re: High Speed Firewalls Eric Hall (Mar 13)
  - Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
  - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
    - RE: RE: High Speed Firewalls David Newman (Mar 17)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)

(Thread continues...)