Firewall Wizards mailing list archives
Re: High Speed Firewalls
From: Crispin Cowan <crispin () wirex com>
Date: Tue, 07 Mar 2000 18:41:18 +0000
David Newman wrote:
Perspective matters a LOT here; if you're measuring application-layer throughput (e.g., firewall X can handle Y sessions of ftp at an aggregrate rate of Z Mbit/s) then anyone who claims line-rate performance, even on a totally uncongested network, is lying. That just isn't possible, since all applications carry some overhead and a firewall's inspection routine(s), regardless of architecture, take some nonzero amount of time to complete. It might be valid to calculate a theoretical maximum for application-layer throughput but it will never be the same as line rate.
This does not follow. The overhead for the firewall will impose additional end-to-end latency (i.e. increasing ping times) but does not necessarily throttle throughput. Imagine a theoretical deeply pipelined firewall that can simultaneously process several packets in different stages. This is analagous to deeply pipelined CPUs that execute instructions that each take 5 clocks to execute, but none the less can complete one instruction per clock cycle. The firewall imposes latency, but most certainly can ingest and eject packets at line rates. Caveat: this is just picking on the above claimed theoretical limitation. Actual firewall rates are a matter for performance metrics. Continuing the above pipelined CPU analogy, 1 instruction per clock is an ideal that is hard to achieve in practice, and achieving line-rate throughput in a firewall is likely to be hard. Possible, but hard. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- personal firewalls, (continued)
- personal firewalls Randy Grimshaw (Mar 13)
- Re: personal firewalls Rick Murphy (Mar 21)
- Re: personal firewalls elad (Mar 21)
- Re: High Speed Firewalls Mike Barkett (Mar 07)
- Re: High Speed Firewalls Bennett Todd (Mar 07)
- Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)