Re: High Speed Firewalls

[Crispin Cowan <crispin () wirex com>]

David Newman wrote:

> Perspective matters a LOT here; if you're measuring application-layer
> throughput (e.g., firewall X can handle Y sessions of ftp at an aggregrate
> rate of Z Mbit/s) then anyone who claims line-rate performance, even on a
> totally uncongested network, is lying. That just isn't possible, since all
> applications carry some overhead and a firewall's inspection routine(s),
> regardless of architecture, take some nonzero amount of time to complete. It
> might be valid to calculate a theoretical maximum for application-layer
> throughput but it will never be the same as line rate.

This does not follow.  The overhead for the firewall will impose additional
end-to-end latency (i.e. increasing ping times) but does not necessarily
throttle throughput.  Imagine a theoretical deeply pipelined firewall that can
simultaneously process several packets in different stages.  This is analagous
to deeply pipelined CPUs that execute instructions that each take 5 clocks to
execute, but none the less can complete one instruction per clock cycle.  The
firewall imposes latency, but most certainly can ingest and eject packets at
line rates.

Caveat:  this is just picking on the above claimed theoretical limitation.
Actual firewall rates are a matter for performance metrics.  Continuing the
above pipelined CPU analogy, 1 instruction per clock is an ideal that is hard
to achieve in practice, and achieving line-rate throughput in a firewall is
likely to be hard.  Possible, but hard.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html