Sizing a firewall depends on many factors and there is no absolute
answer. Get more horsepower than you think you will need and make sure
that your get good quality interface cards. Some considerations include:
1. The size of the rule base. If you allow everyone out with no
restrictions and no one, in then the firewall doesn't have to work too
hard to decide whether to pass a packet.
2. The line speed. The line speed is more of a bottleneck than the
firewall, at least up to T1 + connections. The speed of an internet
connection depends on the speed of the remote server, overall Internet
congestion and the speed of the local link. For most businesses the
firewall does not typically add a lot of latency. So don't buy a
powerhouse firewall to serve a 56 K line.
3. Encryption. VPNs are CPU intensive and can add a lot of latency.
4. The type of traffic. The firewall needs to hold state information for
every TCP conection, so a web browser might make a lot of little
connections as opposed to an ftp client which might make only one.
5. Application level filtering. Do you want to screen files types or
http tags in the data stream? If so then you will need cycles to do so.
6. Logging. Do you want the firewall to do a reverse lookup on every IP
address it sees? It makes the logs more readable but it does add
overhead. Do you want real-time logging to a GUI? The cycles have to
come from somewhere.
7. Other services. DNS can add overhead on a busy network, and obviously
so can running a web or ftp server on the same box as the firewall
(which is NOT recommended).
... I am sure other readers can add more considerations...
For an NT based firewall on less than a T1 connection for 500 users you
should look at a Pentium Pro 200 with at least 64 Mb RAM, 2 gig HD, high
quality Ethernet cards. There are ways of doing this more cheaply, but
since you are asking this question I am assuming you don't want to be
playing around with Linux on a 486. Of course, if you need screaming
performance and money is no object then you might want to look at a UNIX
platform (no holy wars please).
> I was wondering what hardware platform is best to support a company
> ~500 users. The firewall is gauntlet 4.0. What I need to find out is
> system architecture, CPU speed, memory size, etc for the machine
> going to hold the firewall.
Choreo Systems - Vancouver
(604) 737-3993 www.choreosystems.com seane @
Firewalls, encryption, security tools
X.11, NFS, TCP/IP
Messaging and Directory software