Re: [fw-wiz] cyberguard performance?

From: ark@eltex.ru
Date: 12/30/02


From: ark@eltex.ru
To: David Lang <david.lang@digitalinsight.com>
Date: Mon Dec 30 08:00:17 2002

Sure. I still do not understand why use Cyberguard as stateful filter,
i bet Netscreen does the job better ;-)

I seems quite illogical to me that due to some market conspiracy the simple
fact that protecting DMZ and protecting office LAN are different tasks and
require completely different devices is somehow silenced all the time.

On Sun, Dec 29, 2002 at 03:24:50PM -0800, David Lang wrote:
> I just went through a review of cyberguard and it is primarily stateful
> filtering. it does have some proxies, but they appear to be primarily
> intended to work for office -> internet use.
>
> getting performance numbers for cyberguard running all traffic through
> proxies is very hard to do.
>
> David Lang
>
> On Sat, 28 Dec 2002, Mikael Olsson wrote:
>
> > Date: Sat, 28 Dec 2002 16:35:07 +0100
> > From: Mikael Olsson <mikael.olsson@clavister.com>
> > To: ark@eltex.ru
> > Cc: firewall-wizards@honor.icsalabs.com
> > Subject: Re: [fw-wiz] cyberguard performance?
> >
> >
> > I don't know much about cyberguard in particular, but I do know
> > something about firewall throughput ...
> >
> > ark@eltex.ru wrote:
> > >
> > > KS 1500 - 1.5Gbps performance
> > > [...]
> > > 426 bytes for proxy instanse handling the connection, assuming there is
> > > no OS at all ;-)
> >
> > 426 bytes is __NOT__ enough for full TCP reassembly and transmission.
> > It _might_ be enough for the TCP Control Block itself, but you need
> > somewhere between a couple of KB and 128 KB for a live TCP stream,
> > depending on connection throughput, packet reordering and packet loss.
> >
> > Anyway, the performance figures you listed would lead me to believe
> > that it's doing stateful inspection and not proxying.
> >
> > 1.5Gbps stateful inspection (actually, a little bit more, with well-
> > optimized software) is doable with dual 66Mhz/64bit PCI buses, like
> > the Dell 1550/1650 has. (Hmm... 1U rack server.. :))
> >
> >
> > > Is Cyberguard machine a generic Intel box?
> >
> > Yes, it's a PC. It runs a unix dialect that I can't quite
> > remember right now. SCO?
> >
> > --
> > Mikael Olsson, Clavister AB
> > Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
> > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
> > Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >

-- 
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!