Firewall Wizards mailing list archives
Re: Firewall performance
From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 24 Jun 1999 15:25:20 -0700 (PDT)
--- Sandy Green <sand232 () yahoo com> wrote:
Thanks to all those who responded. But actaully that does not answer my query. There is a lab report on the checkpoint site about the solaris vs NT performance. fine.... but actaully there are other important factors like PCI bus speed of the computer as well, CPU speed ,memory.
If you are talking about packet filtering/forwarding, then current firewalls tend to perform quite a bit beneath the hardware's capabilities. If you are talking about "proxying" rather than "routing", then there are some MAJOR architectural differences between WinNT and Solaris. Network sevices on UNIX systems are designed from the standpoint of fork()ing a new process for each connection. This has a huge performance impact on heavily utilized servers. Therefore, WinNT was designed from a "multi-thread" point of view rather than a "multi-process". Thread creation is not only cheaper, you can further tweak things with thread "pools". Therefore, if you see a webserver comparison using CGI scripts (programs that are fork()ed off by the web server), you will see UNIX systems with a huge lead over WinNT. WinNT's process creation performance sucks. However, comparisons that recompile the CGI programs as Microsoft ISAPI filters likewise perform significantly faster than UNIX plus CGI. I know neither Checkpoint's architecture nor the tests you were referring to. However, if the test dealt with proxies and Checkpoint follows the standard UNIX paradigm of fork()ing processes, you will see a huge performance degradation on WinNT. In short, a product written for one architecture will run poorly on an OS optmized for another architecture. There is more to this story. You must remember that Microsoft builds both OS and apps. In particular, Microsoft has built WinNT to be the perfect app for SQL Server and IIS. Oracle is doing the same thing, trying to build a single platform that doesn't have an OS but which is a pure Oracle server. Only with MS, we get half the SQL Server and think it is an OS named WinNT. Some of these features are like I/O Completion Ports (a multi-threaded variant of select()) and Overlapped I/O. These features were designed for IIS and SQL Server on multi-CPU machines. If you have a massively scalable program such as a web server, a database server, or a proxying firewall, then you almost certainly need to use these features as well, or you won't be getting the performance you otherwise expect. Rob. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- RE: Firewall performance, (continued)
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
- RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
- RE: Firewall performance David C Niemi (Jun 28)
- Re: Firewall performance Darren Reed (Jun 29)
- Re: Firewall performance Mike Shaver (Jun 29)
- Re: Firewall performance Darren Reed (Jun 29)
- RE: Firewall performance David C Niemi (Jun 28)
- RE: Firewall performance David LeBlanc (Jun 28)