RE: Consine FW

["Pieper, Rodney" <rodney.pieper () eds com>]

Having a multiprocessor CPU with CheckPoint will not give the added
throughput you might think. This is a single threaded process. You gain some
performance by having a second processor to handle os related tasks but
beyond that you gain nothing. 

Another bottleneck in many systems (including Sun) is the bus speed. Even if
you have gig in and out the data has to get to the processor and back to the
other interface. This is a big issue on people working with qfe (quad
10/100) cards. 

You can push a dual processor box with CheckPoint to 60-70 with tweaking - I
have a 17 page set of notes that I use to wring the most out of the box. 

Rod Pieper


-----Original Message-----
From: Nimesh Vakharia [mailto:nvakhari () clio rad sunysb edu]
Sent: Tuesday, November 13, 2001 3:32 PM
To: Lucas, Perry
Cc: firewall-wizards () nfr com
Subject: RE: [fw-wiz] Consine FW



> me.  Has anyone tested a high end firewall, proxy or stateful, on a 2ghz
> quad processor servers decked out with memory?  It may give gigabit
> throughput performance for all we know at this point.  I don't dispute
        One of our customers did try out a quad proc (440Mhz, i think) at
1 Gb RAM on a Sun E450(2Gig Nic) with Checkpoint. I think they barely got
around 60-80Mbps of thput out of the 1G. The packets were pure UDP
traffic (200 streams) and fw was configured with 20 FW rules. In
checkpoints defense, the admins were not very big on solaris and the
optimizations were a few things recommended on phoneboy.com. It'd be
interesting if see if people have had other experiences.

> As for the data mining and trend analysis, you grab that from the proxy
> firewall as opposed to the server, ala Webtrend firewall products
        Yes that would work but it'd get interestingly complex as
u'd have  one LB farm/high end device shared across various customers.

Nimesh.

> Sincerely,
>
> Perry J. Lucas
>
> -----Original Message-----
> From: Nimesh Vakharia [mailto:nvakhari () clio rad sunysb edu] 
> Sent: Monday, November 12, 2001 5:11 PM
> To: Lucas, Perry
> Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com; David Lang
> Subject: RE: [fw-wiz] Consine FW
>
>
> Lucas, If one considers the price performance of high end firewalls,
> which
> is what the market seems to be moving to now a days. Consider the port
> density, price etc... u'd want to have multi gigabit capabilities
> especially when it is in a shared hosting/inter-enterprise environment.
> Although high end proxy's are secure (a squid cluster) and do content
> inspection, the speed seems to be a distant dream and besides proxy in a
> hosting environment is a major no no. The thought of losing out on
> client
> info for site trends analysis or data mining is pretty much
> unacceptable.
> I guess the ideal solution would be to see Layer 7 analysis in a
> stateful
> firewall at high speeds.
>
> Nimesh.
>
>
> On Mon, 12 Nov 2001, Lucas, Perry wrote:
>
> > Just to contribute a little bit off the list.  In the past, proxy
> > firewalls were deemed to be more secure than stateful inspection
> > firewalls.  I don't know how well that still holds true today, as I
> > personally haven't kept up on the debates, but the logic being that it
> > is the proxy establishing the connections.  Just to break it out in a
> > rough sense, stateful inspection you get a pc-to-pc connection with
> the
> > firewall making some alterations to the packets for NAT or blocking
> > ports as necessary.  With proxy firewalls, the PC makes a connection
> to
> > the proxy, and then proxy makes the request out to the server.  So you
> > get a pc-to-proxy-to-pc connection.  The trade-off, as has been
> > mentioned, is a slight degradation in performance.
> >
> > You'll get different answers depending on which zealot you talk to as
> to
> > which is better.  My personal preference is towards stateful
> inspection
> > firewalls such as PIX, Checkpoint, and Netscreen as they adapt to new
> > technology easier and usually fairly transparent in operation to the
> > users.
> >
> > -----Original Message-----
> > From: David Lang [mailto:david.lang () digitalinsight com] 
> > Sent: Friday, November 09, 2001 3:56 AM
> > To: Nimesh Vakharia
> > Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com
> > Subject: Re: [fw-wiz] Consine FW
> >
> > although as fast as computers are today the speed you can get from
> > proxies
> > may very well be sufficiant, in most cases a fairly beefy box will
> make
> > it
> > so that your communications lines are your bottleneck, not the
> firewall
> > (obviously does not apply to gig ethernet, but definantly does apply
> up
> > to
> > multiple DS-3's)
> >
> > David Lang
> >
> >
> >
> >  On Thu, 8 Nov 2001, Nimesh Vakharia wrote:
> >
> > > Date: Thu, 8 Nov 2001 11:44:37 -0500 (EST)
> > > From: Nimesh Vakharia <nvakhari () clio rad sunysb edu>
> > > To: Bill_Royds () pch gc ca
> > > Cc: firewall-wizards () nfr com
> > > Subject: Re: [fw-wiz] Consine FW
> > >
> > > agreed, the proxy's inherent behaviour to establish the connection
> > itself
> > > is why it does not require it to be stateful which is why it castes
> a
> > > doubt on performance capabilities at high speeds and is less than
> > ideal
> > > for a hosting environment.
> > >
> > >  On Thu, 8 Nov 2001 Bill_Royds () pch gc ca wrote:
> > >
> > > > An Application proxy firewall does not need stateful inspection.
> > Stateful
> > > > inspection is a method for packet filtering firewalls to carry
> > information
> > > > about TCP and UDP conversations to ensure that they are
> consistent.
> > An
> > > > application proxy does this inherently so it does not need a state
> > table
> > > > for the conversation.
> > > >
> > > >
> > > > Bill Royds
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Nimesh Vakharia <nvakhari () clio rad sunysb edu>
> > > > 11/07/01 04:08 PM
> > > >
> > > >
> > > >         To:     firewall-wizards () nfr com
> > > >         cc:
> > > >         Subject:        [fw-wiz] Cosine FW
> > > >
> > > >
> > > >
> > > > Hello,
> > > >
> > > > We are looking at a bunch of highend firewall and VPN options and
> > consine
> > > > seems to be an interesting one. But someone told me that currently
> > > > consine does not have a stateful firewall? Is that true. I was
> told
> > they
> > > > can support packet filtering and applcation proxy only...
> > > >
> > > >
> > > >
> > > >  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards