Firewall Wizards mailing list archives
Re: Firewall Throughput
From: Patrick Darden <darden () armc org>
Date: Wed, 6 Sep 2000 12:22:39 -0400 (EDT)
I agree. Even if you were to focus on performance as the primary concern,
you still have to know more about the security context. Here are some
other questions that will affect performance:
number of networks
number of ints
complexity of firewall rulesets
complexity of zones of control,
(i.e. number of logical domains and rulesets)
number of services offered externally
number of services offered internally
VPN stuff: # connections, bandwidth, type of encryption
upgrade path--bigger box or more boxes
Other factors that should be as important to you as performance are:
human skill set Security all revolves around the admin
--training, certifications, etc.
--previous experience with Cisco or CP...
high availability Can you afford for it to go down
even for monthly upgrades/updates?
--checkpoint offers ha via the nokia boxes
--not sure about the pix
capability Will it do what you want/need?
--interoperability (e.g. ipsec)
--content scanning (e.g. cvp for
antivirus, packet scanning to see if it
truly is ftp or http or whatever)
future 2-3 year obsolescence cycle is standard
--expansion of traffic/bandwidth
--does the vendor update frequently to
reflect current trends, capabilities?
management ease of use, multiple firewalls?
--logging, charts, graphs, reports
--user account handling, adding, deleting
--updating rulsets
--adding zones of control
I believe network magazine has some firewall roundups that might help you
out. Performance is a big part of their tests, and they get into details.
G'luck,
--Patrick
On Wed, 6 Sep 2000, Rick Murphy wrote:
At 10:25 AM 9/5/2000 -0500, Benson Hill wrote:Of course, both companies claim their solution is the best. Cisco says they are faster, CheckPoint says that's true only for certain types of traffic. Does anyone have any reliable information comparing the throughput of the two products?Before you can get a good answer to that question, you'll need to refine the question. Define "throughput" - number of connections per second, bytes per second, etc.. What protocols are you planning to measure? Do you want to use filtering that requires using a Firewall-1 security server? If so, make sure you measure that way. Checkpoint allows the use of "fastmode" for TCP services; that's a static 'established' filter - make sure your measurements aren't using that mode unless you're willing to take the risk. There are also bigger questions, like what form of user authentication you're planning to use and whether the products support it, whether or not you want to virus scan e-mail, etc. Define your entire requirements set, don't try to concentrate on one facet of the two products. -Rick
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Throughput, (continued)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- RE: Firewall Throughput Chris Cappuccio (Sep 14)
- Re: Firewall Throughput Christopher Nielsen (Sep 13)
- Re: Firewall Throughput Patrick Darden (Sep 14)
- Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 06)
- RE: Firewall Throughput Robert Purdy (Sep 08)