[fw-wiz] Firewall Throughput

JVBrown jvbrown@gte.net
Tue, 12 Sep 2000 21:55:31 -0400

perhaps Mr. Moderator is busying for Interop, as this thread has got some of
our heads spinning.


subject line is "firewall throughput" ...perhaps this thread should read
"Pix functionality".
While the discussion is quite architecturally esoteric, the subject line was
lost messages ago.

A discussion thread on firewall throughput that does not include a single
reference to NetScreen  NS100 and NS1000 security, performance and value
leadership position isn't representative.

The NS1000 specifications are as follows...these are the industry standards
in FW Throughput.

 1Gb/s stateful-inspection NAT firewall
 1Gb/s 3DES VPN
 25k IPSec tunnels
 500 k concurrent sessions
 40k access screening policies
 VLAN 802.1q Tag support
 Full ICSA Certification
 Multi-tenant 100 virtual systems within a system
 High Availability
 Full Redundancy

NS100 slouch(not) ... 100Mb NAT, >70Mb 3DES, HA, ~200k concurrent, 25k
connections/second, etc.

If throughput is the singular design objective, and rock-solid security
isn't a factor, about the only solution faster would be a wire itself, or
some infrastructure device with ACL.


> -----Original Message-----
> From: firewall-wizards-admin@nfr.net
> [mailto:firewall-wizards-admin@nfr.net]On Behalf Of Patrick Darden
> Sent: Tuesday, September 12, 2000 10:15 AM
> To: Darren Reed
> Cc: darren.mackay@uq.net.au; firewall-wizards@nfr.net
> Subject: Re: [fw-wiz] Firewall Throughput
> On Tue, 12 Sep 2000, Darren Reed wrote:
> > > "Cisco push it along the lines of 'you don't want unix/windows on your
> > > firewall because they're crashable'"
> > >
> > > I would like to know where they state that.  It would be pretty
> > > hypocritical as the PIX has a Unix based OS (Plan 9).
> >
> > http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm
> > Look for the words "Non-Unix" (strictly speaking, this *is* true even if
> > it is Plan 9).
> Hmmm, the PIX is similar to the Nokia FW1 boxes in that they are hardened
> Unix derivatives, cut to the quick, performance enhanced, with ip
> filtering, stateful connection monitoring, and packet inspection.
> I find it interesting that they intimate bad things about Unix's security
> and performance, but only flat out state bad things about general purpose
> operating systems:
> "This design eliminates the risks associated with a general purpose
> operating system... (allowing the pix) to deliver outstanding
> performance".
> They are walking a fine line here.  I would venture to say that they have
> even crossed it.
> >
> > They're different, they need a marketting angle, they drive it.
> >
> > > "You damn well don't want a router as a firewall"
> > >
> > > I don't know of many firewalls that aren't routers as well,
> that includes
> > > the IP Filter you seem to like so much and even the BSD-based NOKIA
> > > running Checkpoint FW1.  Application-layer proxy based
> firewalls usually
> > > aren't routers, but otherwise...
> >
> > Router = thing which tftp's boot images, does BGP4, has no hard
> disk, etc.
> > Or to put it more succinctly in this thread, a Cisco 1234 thing.
> That is not a good definition of a router.  Routers do not have to boot
> via tftp, and they don't do it by default.  Routers don't even have to use
> BGP4.  The RFPs that define routers don't really mention any of
> this....  I know I am just being picky--you were just letting off steam.
> >
> > and likewise you shouldn't use routers to do firewalling when you're
> > serious about firewalling.
> I think we agree here, but I'll be picky again.
> Firewalls on routers have their place.  I believe in a multi-layered
> approach to security, and the first layer is having a well protected
> router that provides ingress/egress filtering (e.g. to prevent DDOS).
> They certainly should not be solely relied upon.
> > If I'm really serious about security then I *will* use/recommend a proxy
> > firewall, even in addition to anything else which is there.  There are
> > some things they offer which just can't be matched, in terms of
> security,
> > by any packet-filtering based firewall.
> Again, I think we agree.  An application proxy on a hardened host, behind
> a good stateful packet filter, is a tremendous security boost.
> > Do yourself a favour and stay ignorant of the development methodology
> > that goes on "behind the scenes" with Linux.  What are they now,
> > 2.4.pre34-test83, and still making major architectural changes
> inside it.
> > That's *insane*.  Sure, Solaris is stable, but you can't strap it down
> > as securely as you can BSD, plus you get source code for BSD.
> >
> I'm aware of the procedure, and I also know that Linus put a freeze on new
> features months ago.  He does not make major new architectural changes to
> the betas, and very rarely to the alphas.
> I agree that BSD is a great Unix.  However, I am not holy enough to state
> it is the best, and I really try to stay out of these religious debates.
> --
> --
> --Patrick Darden                Internetworking Manager
> --                              706.354.3312    darden@armc.org
> --                              Athens Regional Medical Center
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards@nfr.net
> http://www.nfr.net/mailman/listinfo/firewall-wizards