I am working on a proposal to deploy a firewall internally between secure
and insecure portions of a corporate network.
We don't yet have firm constraints, but I know that a forwarding rate across
the "wall" of at least 750 packets per second will be required based on
current statistics from a router. I believe this will turn out to be more
like 2500 packets per second once the firewall is implemented.
No data as to the numbers or types of concurrent connections is yet
available, but several hundred (mostly idle of course) telnet sessions are
likely to be required, along with perhaps 50 simultaneous FTP transfers.
Interactive telnet speed (ie packet latency) is more important that raw data
throughput rate. Other types of proxies (SNMP, WWW) are likely, but will be
of less frequency and significance.
A few problems have occurred to me:
1. Are any numbers available on performance constraints for a TIS firewall?
How much memory is required for a new Telnet, FTP or other type of proxy
connection? Is a new process forked?
2. Is there a "magic" upper limit on forwarding or connections which cannot
3. What type of box will be necessary (assuming we choose TIS) to service
this type of load? Will one (fault tolerant) box be sufficient?
4. If one box will not suffice (assumed), then is it possible to deploy
multiple boxes and direct specific traffic at each box? If the device looks
like a router (my assumption), is such traffic splitting viable without
static routes in clients?
5. If it is not possible to direct traffic to specific gateways, are there
any other options for load sharing?
maLogic SafeWord authentication system with the TIS firewall a good idea? IE
Do you take a further performance hit?
Any advice would be much appreciated.