Firewall Wizards mailing list archives

RE: High Speed Firewalls

From: "David Newman" <dnewman () networktest com>
Date: Tue, 7 Mar 2000 15:39:54 -0500

This does not follow.  The overhead for the firewall will impose
additional
end-to-end latency (i.e. increasing ping times) but does not necessarily
throttle throughput.  Imagine a theoretical deeply pipelined
firewall that can
simultaneously process several packets in different stages.  This
is analagous
to deeply pipelined CPUs that execute instructions that each take
5 clocks to
execute, but none the less can complete one instruction per clock
cycle.  The
firewall imposes latency, but most certainly can ingest and eject
packets at
line rates.

Caveat:  this is just picking on the above claimed theoretical limitation.
Actual firewall rates are a matter for performance metrics.
Continuing the
above pipelined CPU analogy, 1 instruction per clock is an ideal
that is hard
to achieve in practice, and achieving line-rate throughput in a
firewall is
likely to be hard.  Possible, but hard.


We may be talking at cross-purposes here. I agree fully with what you say
here, but I was making a different point.

My contention is that it is not possible to ftp a 12.5-Mbyte (100-Mbit) file
through a firewall with 100Base-T interfaces in 1 second, even though the
interfaces are theoretically capable of moving traffic at that rate. Even a
perfect firewall will still have to deal with packet headers, TCP connection
setup and tear down, and its own inspection engine -- and all that pushes us
over our 1-second budget. Ergo, there's no such thing as "line-rate"
throughput from an application perspective. Any claim that a firewall does
so (and I've heard several such claims) is a lie.

This is a different issue than measuring bits on the wire, as we do when we
benchmark switch or router performance. Of course there are firewalls that
can saturate a 100Base-T link, full duplex; I've tested several of these.
But they don't, and can't, push application data or even TCP at "line rate."

Apologies if I didn't state this clearly earlier: We have to be mindful of
what layer we're measuring from with firewalls, given their L4/L7
capabilities.

David Newman
Network Test

Current thread:

Re: personal firewalls, (continued)
- - - Re: personal firewalls Rick Murphy (Mar 21)
    - Re: personal firewalls elad (Mar 21)
    - Re: High Speed Firewalls Mike Barkett (Mar 07)
    - Re: High Speed Firewalls Bennett Todd (Mar 07)
    - Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
    - Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
    - Re: High Speed Firewalls Eric Hall (Mar 13)
  - Re: High Speed Firewalls Chenggong Charles Fan (Mar 12)
- Re: High Speed Firewalls David Newman (Mar 06)
  - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: High Speed Firewalls Crispin Cowan (Mar 12)
    - RE: High Speed Firewalls David Newman (Mar 12)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
    - RE: RE: High Speed Firewalls David Newman (Mar 17)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)
    - Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)
    - RE: RE: High Speed Firewalls David Newman (Mar 21)

(Thread continues...)