Firewall Wizards mailing list archives
RE: Firewall-1 platforms - Performance, etc.
From: Peter Lukas <plukas () oss uswest net>
Date: Fri, 9 Mar 2001 14:58:40 -0600 (CST)
CheckPoint only supports RootHat 6.2, but most are free to whip out the zig-zags and roll their own Linux CP-based firewall if they've got the time. I'll be inclined to agree with previous comments regarding the stability of Sun hardware as well as the convenience of Nokia's configuration. I do take issue with the bottom-of-the-barrel hardware deployed on Nokia systems (even most bargain-basement PC's don't use WD hard drives these days!). I also feel Linux to be inferior when handling a bombardment of concurrent network connections. A *BSD would be much more suitable for such an environment -- unfortunately Nokia's closed business model surrounding IPSO and their CheckPoint binaries prevent me from building a *BSD-based CP Firewall on more capable hardware. Has anyone tried running the Nokia CP binaries against a *BSD != IPSO? Did they modify the runtime libraries entirely or is it possible to "roll my own?" VRRP for free is highly attractive. StoneBeat's High Availability works very well and can be configured for load *sharing* for an effective throughput capacity of 2X the capacity of a single system. Their FullCluster and other similar load-balancing solutions can *never* surpass the maximum of the multicast interface they represent. The theoritical maximum in these multicast scenarios is the limitation of a single interface (not (n)X interface capacity as most literature would have one believe). Hardware encryption (IMHO), leaves quite a bit to be desired. Most encryption accelerators use an aging Intel SA-110 processor. While in its day, this was a good place to off-load encryption, I've only been able to notice a 2-3X increase over no acceleration. Using the CAST algorithm proved much more speedy than 3DES with acceleration. I am not aware of the technical or security merits one has over the other, though. I have seen a soft-VPN accelerator which will utilize a second CPU for VPN processing. This may prove a dynamo as the second processor in most systems could effectively surpass a SA-110. Has anyone had any experience with these? I have also noticed that the majority of firewall testing is not balanced or unbiased in the comparasions made. I suppose that real-world examples of firewall bombardment would be more applicable when choosing a particular platform. Without getting into a firewall muscle-flexing contest, I offer the following real-world example and encourage others to do the same: I have a number of Sun/Solaris configurations in networks that average a sustained throughput of 15-20Mbps with an average of 12-16000 active connections in the state table. These systems peak around 86Mbps (only on large network backups). None of them utilize load-sharing or load-balancing. None run dunamic routing protocols or other intensive applications. They are all based on UltraII 440MHz processors, 256MB memory and 66MHz Quad FastEthernet adapters (A sun Ultra60/Netra t1125). I'd be interested in what other people have experienced - what worked, what worked well, what didn't work at all. Peter Lukas On Tue, 6 Mar 2001, Joe Ippolito wrote:
Some things that Nokia does do: VRRP (Virtual Router Redundancy Protocol) - HA without additional cost. IPSO OS-level Flow Control, BGP, and a management interface for OS-level stuff and software license and patch-level management. No hardware encryption ...yet -stay tuned. -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Kalat, Andrew (ISS Atlanta) Sent: Tuesday, March 06, 2001 8:28 AM To: 'Smith, Gary (SCOTAM)'; 'firewall-wizards () nfr com' Subject: RE: [fw-wiz] RE: Firewall-1 platforms Hello Gary, Nokia is good platform for FW-1, but there are some things to keep in mind. First, Nokia often lags in patch release. Often, you'll see a few weeks between the time a patch/hotfix/service pack comes out for the Sun version of FW-1 and the Nokia version. Second, Nokia is based on BSD. My understanding (could be wrong) is that Checkpoint is asking all application vendors to now run the Linux version of FW-1. This would mean that conceivably at some point Nokia will have to switch from BSD to Linux. This *is* speculation on my part, but it seems reasonable. Third, Sun is much faster at DES encryption throughput than Nokia (however, Nokia seems to win in raw packet passing speed.) Also, I don't believe the add on cards for encryption acceleration support Nokia yet, but I'm not certain on that... Fourth, with dual Sun boxes, and a good fail over product like StoneBeat, I believe you can do load balancing of traffic between both Sun boxes. As far as I know, you can't do load balancing between two Nokia boxes yet. Just some of my random thoughts and considerations. But, like I said, overall, Nokia is a good platform, depending on your needs. -Andrew Kalat Note: Comments are my own, not my employers, yadda, yadda... -----Original Message----- From: Smith, Gary (SCOTAM) [mailto:gary.smith () ScottishAmicable co uk] Sent: Tuesday, March 06, 2001 5:45 AM To: 'firewall-wizards () nfr com' Subject: [fw-wiz] RE: Firewall-1 platforms David+others: We are looking at putting in two Nokia Firewall-1 appliances with VRRP failover. Aside from cost, can you share any of the potential reasons that you had for discounting Nokia as a platform? --Gary;-----Original Message----- From: David Lang [mailto:dlang () diginsite com] Sent: Friday, March 02, 2001 4:36 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Firewall-1 platforms I am looking at putting in a couple Firewall-1 boxes and am debating between the various hardware platforms. The Nokia appliances are a distant third choice due to a number of reasons (cost being one of them) but I don't have much info to help me choose between running Firewall-1 on Linux or Solaris********************************************************************** Information contained herein is the sole responsibility of the Individual sending the message. No responsibility is admitted by Scottish Amicable for any loss or damage incurred through use of the email. In addition, no statement should be construed as giving investment advice within or outside the United Kingdom. An email reply to this address may be subject to interception or monitoring for operational reasons or for lawful business practices. ********************************************************************* _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Firewall-1 platforms - Performance, etc. Peter Lukas (Mar 10)