Firewall Wizards mailing list archives
Re: RE: High Speed Firewalls
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 20 Mar 2000 10:08:27 -0800 (PST)
From: "David Newman" <dnewman () networktest com> Date: Tue, 7 Mar 2000 15:39:54 -0500 My contention is that it is not possible to ftp a 12.5-Mbyte (100-Mbit) file through a firewall with 100Base-T interfaces in 1 second, even though the interfaces are theoretically capable of moving traffic at that rate. Even a perfect firewall will still have to deal with packet headers, TCP connection setup and tear down, and its own inspection engine -- and all that pushes us over our 1-second budget. Ergo, there's no such thing as "line-rate" throughput from an application perspective. Any claim that a firewall does so (and I've heard several such claims) is a lie.
That has mostly to do with things like round-trip delays for handshakes, and TCP slow start. If you take a sample out of the middle of such a connection, for a much longer file, it will look better. I think at some point, your constraining factor might get to be latency. The window size can only get to be 64K, right? Ryan
Current thread:
- RE: RE: High Speed Firewalls, (continued)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Saravana Ram (Mar 23)
- Re: Re: High Speed Firewalls Dug Song (Mar 13)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Ryan Russell (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
- RE: RE: High Speed Firewalls Ryan Russell (Mar 21)
- RE: RE: High Speed Firewalls David Newman (Mar 21)
- RE: High Speed Firewalls David Newman (Mar 21)