Firewall Wizards mailing list archives

RE: Firewall performance

From: David LeBlanc <dleblanc () mindspring com>
Date: Thu, 24 Jun 1999 10:08:38 -0700

At 08:57 PM 6/23/99 -0400, Marcus J. Ranum wrote:

* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have
a sub-par TCP/IP stack as far as performance is concerned.  ie. Max
throughput for a single socket in NT will generally be less than on Solaris,
etc.  The best software in the world can only send and receive data as
quickly as the TCP/IP stack can manage.

Depends on whether or not it's a proxy firewall or a filter. A
lot of the vendors that make NT-based firewalls access data just
above NDIS, then make a go/no-go decision at that point. Doing
that eliminates NT's IP stack entirely. Same applies for a Checkpoint
running on Solaris - the IP stack only comes into play when a
packet is permitted up the stack to the machine itself (which is
usually a bad idea!)


To some extent, NT garnered that reputation back in the 3.5-3.51 days.

From what I've seen while I was at ISS, NT and the UNIX's are equally

capable of flooding a 100Mb network to saturation.  We had problems with
both the initial ping sweep and the port scanning portions of the scanner
where we had to insert wait states and tweaks in order to keep from causing
too many collisions.  Beware of some of the shareware port scanners - they
are not tweaked to be nice to your net.  At one point, we had a switch that
kept taking us off the network - our packet rate was way too high.  Note
that ping sweeps and port scans are pretty specialized activities - normal
use won't get you into this.  IMHO, any OS that can hit the limits of the
network layer is fast enough 8-)

I've personally measured NT-NT file transfers where it used 80Mb of a 100Mb
wire - but that was on a quiet network - get more than one of those going
at once, and you'll have problems at the ethernet level.

Disclaimer - there are many ways to measure 'performance', and I don't
pretend to have measured them all.

Some of the NT firewalls perform pretty well, in fact, since
NT is really just acting as a GUI and program loader/filesystem
while the firewall itself is basically a kernel mode device
driver.


This is very true - personally, I'm starting to think that having a
multi-purpose OS on top of a firewall is at best a convenience.  Also, I
think that a firewall running on any OS should use as little (or none) of
the native stack as possible.


David LeBlanc
dleblanc () mindspring com

Current thread:

Re: Firewall performance Sandy Green (Jun 23)
- Re: Firewall performance Chris Brenton (Jun 23)
- Re: Firewall performance Lance Spitzner (Jun 23)
- Re: Firewall performance Carric Dooley (Jun 25)
- <Possible follow-ups>
- RE: Firewall performance Choi, Byoung (Jun 23)
- RE: Firewall performance sean . kelly (Jun 23)
- RE: Firewall performance Marcus J. Ranum (Jun 23)
  - RE: Firewall performance David LeBlanc (Jun 28)
- RE: Firewall performance Ryan Russell (Jun 24)
  - RE: Firewall performance David C Niemi (Jun 28)
    - Re: Firewall performance Darren Reed (Jun 29)
    - Re: Firewall performance Mike Shaver (Jun 29)
    - Re: Firewall performance Darren Reed (Jun 29)
  - RE: Firewall performance David LeBlanc (Jun 28)
- Re: Firewall performance Robert Graham (Jun 28)
- RE: Firewall performance Robert Graham (Jun 28)
- Re: Firewall performance Sean Costello (Jun 28)