RE: 1Gb/s 3DES (Was RE: Firewall Throughput)

[Aaron Turner <aturner () vicinity com>]

On Tue, 19 Sep 2000, Robert Purdy wrote:

> > I do not know, if the latest version of  FW-1 supports threads now.
>
> No its still single threaded.
>
> That dosen't mean you should go out and buy a single processor machine;
> more, buy a multiprocessor capable machine with one processor for later
> expansion

Not to mention that while the firewall is single threaded, that doesn't
preclude other daemons/process from running on the other CPU- thus
allowing FW-1 to fully utilize that CPU.  

One thing I've noticed is that all the Firewall-1 benchmarks lately from
Checkpoint, Rainfinity, Stonesoft, etc are done on dual-CPU hardware.
Even when cost is a factor in the review, they're going with the more
expensive solution, which would indicate to me at least that the vendors
think having that second CPU there is worth-while.  Wether there is any
real data to support that, I don't know.

I've also heard from what I consider informed sources that the Solaris'
routing engine itself is also single threaded- but I've yet to find anyone
that can say absolutely for certain.  Regardless, I think it's becoming
quite clear to everyone that specialized hardware is the only real way to
scale firewalls much beyond 100Mbps.  Sure you can use layer 4 switches
like Radware's FireProof or load sharing software like Rainfinity, but all
of these options aren't nearly as elegant or as easy to administrate as
faster hardware.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards