Firewall Wizards mailing list archives
RE: Firewall performance
From: David LeBlanc <dleblanc () mindspring com>
Date: Thu, 24 Jun 1999 10:08:38 -0700
At 08:57 PM 6/23/99 -0400, Marcus J. Ranum wrote:
* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have a sub-par TCP/IP stack as far as performance is concerned. ie. Max throughput for a single socket in NT will generally be less than on Solaris, etc. The best software in the world can only send and receive data as quickly as the TCP/IP stack can manage.
Depends on whether or not it's a proxy firewall or a filter. A lot of the vendors that make NT-based firewalls access data just above NDIS, then make a go/no-go decision at that point. Doing that eliminates NT's IP stack entirely. Same applies for a Checkpoint running on Solaris - the IP stack only comes into play when a packet is permitted up the stack to the machine itself (which is usually a bad idea!)
To some extent, NT garnered that reputation back in the 3.5-3.51 days.
From what I've seen while I was at ISS, NT and the UNIX's are equally
capable of flooding a 100Mb network to saturation. We had problems with both the initial ping sweep and the port scanning portions of the scanner where we had to insert wait states and tweaks in order to keep from causing too many collisions. Beware of some of the shareware port scanners - they are not tweaked to be nice to your net. At one point, we had a switch that kept taking us off the network - our packet rate was way too high. Note that ping sweeps and port scans are pretty specialized activities - normal use won't get you into this. IMHO, any OS that can hit the limits of the network layer is fast enough 8-) I've personally measured NT-NT file transfers where it used 80Mb of a 100Mb wire - but that was on a quiet network - get more than one of those going at once, and you'll have problems at the ethernet level. Disclaimer - there are many ways to measure 'performance', and I don't pretend to have measured them all.
Some of the NT firewalls perform pretty well, in fact, since NT is really just acting as a GUI and program loader/filesystem while the firewall itself is basically a kernel mode device driver.
This is very true - personally, I'm starting to think that having a multi-purpose OS on top of a firewall is at best a convenience. Also, I think that a firewall running on any OS should use as little (or none) of the native stack as possible. David LeBlanc dleblanc () mindspring com
Current thread:
- Re: Firewall performance Sandy Green (Jun 23)
- Re: Firewall performance Chris Brenton (Jun 23)
- Re: Firewall performance Lance Spitzner (Jun 23)
- Re: Firewall performance Carric Dooley (Jun 25)
- <Possible follow-ups>
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
- RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
- RE: Firewall performance David C Niemi (Jun 28)
- Re: Firewall performance Darren Reed (Jun 29)
- Re: Firewall performance Mike Shaver (Jun 29)
- Re: Firewall performance Darren Reed (Jun 29)
- RE: Firewall performance David C Niemi (Jun 28)
- RE: Firewall performance David LeBlanc (Jun 28)