On Thu, 20 Apr 1995, LEI YI T wrote:
> G'day all,
> I am working on a proposal to deploy a firewall internally between secure
> and insecure portions of a corporate network.
> We don't yet have firm constraints, but I know that a forwarding rate across
> the "wall" of at least 750 packets per second will be required based on
> current statistics from a router. I believe this will turn out to be more
> like 2500 packets per second once the firewall is implemented.
> No data as to the numbers or types of concurrent connections is yet
> available, but several hundred (mostly idle of course) telnet sessions are
> likely to be required, along with perhaps 50 simultaneous FTP transfers.
> Interactive telnet speed (ie packet latency) is more important that raw data
> throughput rate. Other types of proxies (SNMP, WWW) are likely, but will be
> of less frequency and significance.
> A few problems have occurred to me:
> 1. Are any numbers available on performance constraints for a TIS firewall?
> How much memory is required for a new Telnet, FTP or other type of proxy
> connection? Is a new process forked?
> 2. Is there a "magic" upper limit on forwarding or connections which cannot
> be exceeded?
> 3. What type of box will be necessary (assuming we choose TIS) to service
> this type of load? Will one (fault tolerant) box be sufficient?
The Gauntlet, TIS' commercial offering based on the FWTK is currently
shipping with a 60 mhz Pentium box running a modified version of BSDI.
I would be surprised if this would not be sufficiently powerfull however
it would not, IMHO, meet your requirement for fault tolerance.
> 4. If one box will not suffice (assumed), then is it possible to deploy
> multiple boxes and direct specific traffic at each box? If the device looks
> like a router (my assumption), is such traffic splitting viable without
> static routes in clients?
Just about anything is possible if you work hard enough at it but my
impression is that trying to split types of traffic between multiple TIS
Gauntlet or TIS fwtk boxes would be a non-trivial undertaking. With the
fwtk/Gauntlet, the box does NOT "look" like a router. I looks very much
like a bastion host. Different configs are possible. One is where the box
has multiple ethernet NIC's (this is standard equipment for the Gauntlet),
one is from/to the untrusted network (e.g. the Internet, perhaps a
screening router attached to your ISP) and the other is to the trusted
(e.g. the "inside") network. The proxy software sits between the two and
applies the rules specified via your configuration information.
If you felt that you needed a more powerful platform (this component _may_
not be the bottleneck) you could run the fwtk on a multiprocessor machine.
Throw ten or 20 486-class CPU's at it and you probably won't have any CPU
bottleneck. If you chose some sort of an SMP architecture, this might also
allow you to satify your fault tolerance requirement, as well.
> 5. If it is not possible to direct traffic to specific gateways, are there
> any other options for load sharing?
> maLogic SafeWord authentication system with the TIS firewall a good idea? IE
> Do you take a further performance hit?
> Any advice would be much appreciated.
> tyl11 @
**** cjolley @
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****