Firewall Wizards mailing list archives

Re: Firewall scaling

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 22 Feb 2004 15:23:09 +0100


Tim Chettle wrote:


what view do you all have to Firewall Scaling / performance

I have a requirement for a Gig capable firewall capable of handling
approx 100k sessions concurrently varying packet sizes and i am unsure
of the session setup rate.

I would appreciate the lists views on factors to look for in terms of
performance indicators and experience's


I'm unsure what you're asking for here, but given your actual
requirements, I thought I'd give you my view of what you should
be shopping for in terms of raw numbers.

If by "gig capable" you mean "capable of forwarding 1 gigabit/s
in each direction", you need to double your numbers and aim for
something that claims to handle 4 gbps/s.  The reason is that
nearly all throughput figures list throughput for full packet
sizes.  So: rule of thumb: double your throughput figures,
unless you know for a fact that the numbers presented are
mixed packet size figures.

For state table size: if your 100k connections is your expected
normal usage, you need to guard against temporary floods to
some extent, i.e. worm outbreaks such as SQL slammer. Or, heck,
forget about worms, a room full of Unreal Tournament players
can flood your state table by just refreshing their server
lists at the same time.

I'd recommend that you over dimension your state table by at 
least a factor of three, so you should be shopping for something
with a state table size of at least 300k connections.  This way,
the firewall has a better chance of dropping unwanted connections
when the state table does fill up. 


Actually, all this is just sensible engineering that has been
applied to all forms of construction for oodles of years --
it's just something that we sometimes forget in network 
engineering.

[disclaimer: i work for a company that manufactures firewalls, so 
for all you know, I could be flat out lying about firewall sizing
just to get you to buy a bigger box :) ]

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall scaling Tim Chettle (Feb 20)
- Re: Firewall scaling Mikael Olsson (Feb 22)
- <Possible follow-ups>
- Fw: Re: Firewall scaling Subha (Feb 22)