Firewalls: TIS firewall performance?

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	TIS firewall performance?
From:	George Mullins <george @ wicked . neato . org>
Date:	Thu, 20 Apr 1995 10:29:45 -0700
To:	LEI YI T <tyl11 @ uow . edu . au>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<199504200400 . OAA26232 @ wumpus . cc . uow . edu . au>
References:	<199504200400 . OAA26232 @ wumpus . cc . uow . edu . au>

LEI YI T. writes:
 > 1. Are any numbers available on performance constraints for a TIS firewall?
 > Examples:
 > How much memory is required for a new Telnet, FTP or other type of proxy
 > connection? Is a new process forked?

I haven't seen anyone generate performance numbers for the FWTK or any
application relay.  Everyone just says, "oh with a 60MHz pentium it
should be fast enough".

Again, there haven't been any real numbers for memory required.  

And yes a new process with all of its overhead of process creation
and memory requirements is forked for each connection (two for ftp).

 > 2. Is there a "magic" upper limit on forwarding or connections which cannot
 > be exceeded?

There certainly is, but it depends on hardware - processor, memory,
and what OS you've layered the relay on.

 > 
 > 3. What type of box will be necessary (assuming we choose TIS) to service
 > this type of load? Will one (fault tolerant) box be sufficient?

Maybe a cray - actually they're not good at IO :-)

I doubt that a pentium box or sun could adequately handle this, but
quite a bit depends on the nature of the connections.  If the
connections once established are relatively static this greatly
improves things (you wouldn't believe the overhead in binding ports),
but remember that every packet has to context switch from kernel space
to user space and back - lots and lots of overhead.

 > 4. If one box will not suffice (assumed), then is it possible to deploy
 > multiple boxes and direct specific traffic at each box? If the device looks
 > like a router (my assumption), is such traffic splitting viable without
 > static routes in clients?

The FWTK is not a router and doesn't look like a router and as a
result you could put different services on different boxes.  Put you
telnet gateway on one box and ftp gateway on another.  But this adds
complexity.

 > 5. If it is not possible to direct traffic to specific gateways, are there
 > any other options for load sharing?

You can do number 4 above.

 > maLogic SafeWord authentication system with the TIS firewall a good idea? IE
 > Do you take a further performance hit?

One time passwords are a good idea, but one thing to remember is that
if you don't have them on all of your end systems then the first thing
the users does after authenticating herself to the firewall is to type
her username and password IN THE CLEAR for her end system.

And yes there is added overhead, more network connections and
processes, to handle the database lookups.  You don't want the
safeword database on you firewall machine(s).

	george

Follow-Ups:

Lecture on firewall performance
From: "Marcus J. Ranum" <mjr @ tis . com>

References:

TIS firewall performance?
From: LEI YI T <tyl11 @ uow . edu . au>

Indexed By Date	Previous:	Re: Self activating E-mail viruses? ie, please tell me where to go :) (fwd) From: "Andrew T. Robinson" <atr @ netmaine . com>
Indexed By Date	Next:	Re: Firefox - NOVIX From: "Michael L. Sapp" <msapp @ mail . orkand . com>
Indexed By Thread	Previous:	Re: TIS firewall performance? From: "Marcus J. Ranum" <mjr @ tis . com>
Indexed By Thread	Next:	Lecture on firewall performance From: "Marcus J. Ranum" <mjr @ tis . com>