Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intel vs. special purpose FW-1 servers

From: Carson Gaspar <carson () taltos org>
Date: Thu, 21 Jul 2005 16:30:37 -0400
--On Thursday, July 21, 2005 09:32:44 AM -0400 "Marcus J. Ranum" <mjr () ranum com> wrote: 


You should know what your peak loads through the link are going to
look like, and then you can start looking at which products claim they
operate at that level. If you're really concerned you can either use
one of two (equally effective) approaches to predict the performance
you'll see:
1) test or research a credible performance test (not one done by a vendor
lab) 2) use bob's algorithm - assume the product can actually handle 1/2
of         what its manufacturer claims it can handle
To add some real-life data to Marcus' common sense advice, be _very_ careful about what packet rate you need. FW-1 vendors love to talk bps, but corner them on pps and their numbers are... less than stellar. And once you exceeded their max pps rate, they behaved _very_ badly. At least that was the case as of NG's release - it's possible things have improved in the interim.
(Buy me a cosmo some time and I'll tell stories about dragging 64-byte packet performance numbers out of Checkpoint while they kicked, whined, screamed, and complained to my boss that I was being "unfair" for making them give the same performance data all the other vendors did. By the way - they came in dead last, on _any_ platform. Mmmmm.... slow _and_ insecure...) 

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: