Re: [fw-wiz] Firewall scaling
From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 02/22/04
- Previous message: R. DuFresne: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"
- In reply to: Tim Chettle: "[fw-wiz] Firewall scaling"
- Next in thread: Subha: "Fw: Re: [fw-wiz] Firewall scaling"
- Maybe reply: Subha: "Fw: Re: [fw-wiz] Firewall scaling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Tim Chettle <Tim.Chettle@orange.net> Date: Sun, 22 Feb 2004 15:23:09 +0100
Tim Chettle wrote:
>
> what view do you all have to Firewall Scaling / performance
>
> I have a requirement for a Gig capable firewall capable of handling
> approx 100k sessions concurrently varying packet sizes and i am unsure
> of the session setup rate.
>
> I would appreciate the lists views on factors to look for in terms of
> performance indicators and experience's
I'm unsure what you're asking for here, but given your actual
requirements, I thought I'd give you my view of what you should
be shopping for in terms of raw numbers.
If by "gig capable" you mean "capable of forwarding 1 gigabit/s
in each direction", you need to double your numbers and aim for
something that claims to handle 4 gbps/s. The reason is that
nearly all throughput figures list throughput for full packet
sizes. So: rule of thumb: double your throughput figures,
unless you know for a fact that the numbers presented are
mixed packet size figures.
For state table size: if your 100k connections is your expected
normal usage, you need to guard against temporary floods to
some extent, i.e. worm outbreaks such as SQL slammer. Or, heck,
forget about worms, a room full of Unreal Tournament players
can flood your state table by just refreshing their server
lists at the same time.
I'd recommend that you over dimension your state table by at
least a factor of three, so you should be shopping for something
with a state table size of at least 300k connections. This way,
the firewall has a better chance of dropping unwanted connections
when the state table does fill up.
Actually, all this is just sensible engineering that has been
applied to all forms of construction for oodles of years --
it's just something that we sometimes forget in network
engineering.
[disclaimer: i work for a company that manufactures firewalls, so
for all you know, I could be flat out lying about firewall sizing
just to get you to buy a bigger box :) ]
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: R. DuFresne: "Re: [fw-wiz] Botnets, IRC servers and firewalls?"
- In reply to: Tim Chettle: "[fw-wiz] Firewall scaling"
- Next in thread: Subha: "Fw: Re: [fw-wiz] Firewall scaling"
- Maybe reply: Subha: "Fw: Re: [fw-wiz] Firewall scaling"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
