[NCLUG] Sizing Firewalls
J. Paul Reed
preed at sigkill.com
Fri Apr 6 20:05:48 MDT 2001
On Fri, 6 Apr 2001, Michael Dwyer wrote:
> Hey, I've got a question for the group -- what are your thoughts on
> ipchains firewall sizing? That is, what processor do you need to be
> able to move full bandwidth?
In response to your subject, we all know that it's not the size or speed of
your firewall, but what you push across it.
> Okay, so here is what I know: A 486DX2/80 will move plenty of data, and
> happily route packets for years without appearing to break a sweat. I
> know. I've done this. But one day, I replaced said box with a ppro/266
> -- and the throughput increased noticeably. But the 486 didn't seem
> overloaded -- the processor usage was around 2% or so...
This was probably due to advancements in bus speeds between the 486 and
PPro mobos; as you've obviously found out experimentally, one of the major
bottlenecks of firewalls is the interconnect between the interfaces and the
bus, as well as the bus itself.
There's a reason why Cisco puts 40 Gb backplanes in equipment only capable
of holding enough interfaces to push 10 Gb across that backplane.
> So, what size of a processor do you need to fill a T1?
It's probably not the processor... I would think, though, that you'd be
able to fill a T1 quite nicely with some *quality* 10 Mb PCI NICs...
You might also check what your firewall is connected to... is it connected
directly to a DSU/CSU, or is there a router in there somewhere? If there's
a router, are there ACLs? Cisco ACLs slow the routing down more than they
should, so if you have a firewall, you should firewall stuff there and not
in slow-ACL-Cisco-land...
> What tools do you use to test firewall throughput? TCPSpray? pathchar
> reports 2.9Mb/s, but it was also dropping 15% of the frames. Ping and
> traceroute test latency, but not really bandwidth.
I like one of Sean's "unofficial-patented-firewall-tests" to test
bandwidth: transferring a large text file over ASCII ftp... or maybe it was
scp... I can't remember... he'll probably remind us all.
Anyway, just transfer a file from your firewall (or a machine just behind
it) to a machine that is as close to the other side of your T1 as you can
get... often times, a shell account at the ISP where the T1 is hosted. Do
this at night when there's no office traffic... see what kind of
performance ftp/scp show.
Another think to think about is architecture *behind* the firewall... one
company a friend was working for had a medium sized office and had
something like 200 workstations, including R&D all on a series of
crisscrossed hubs... performance sucked. They put in a central switch and
rewired all the hubs, and the performance increase was VERY noticeable,
especially since NetBEUI is so chatty.
Later,
Paul
----------------------------------------------------------------------
J. Paul Reed preed at sigkill.com || web.sigkill.com/preed
AOL, CIA, NSA, whatever! They all have three letters, they all collect
information, and they all screw the public -- User Friendly, 2/10/2000
More information about the NCLUG
mailing list