Great Circle Associates Firewalls
(December 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: NT as a central intranet firewall
From: Christophe Dupre <cdupre @ risq . qc . ca>
Date: Thu, 11 Dec 1997 09:51:35 -0500
To: "Billy Verreynne" <vslabs @ onwe . co . za>
Cc: "David Lang" <dlang @ diginsite . com>, Firewalls @ GreatCircle . COM
In-reply-to: Your message of "Thu, 11 Dec 1997 09:43:07 +0200." <01bd0608$6c27e1e0$f3040059 @ billyv . vslabs . co . za>

> It depends on you definition of decent results. :-) I agree, NT can
> sometimes be dog slow, but you have to take into consideration how the
> kernel works. All user code runs in cpu ring 2 and kernel code in ring 0 -
> swapping between rings have overheards. Which is one of the reasons why OS/2
> (older versions anyway - I haven't had the time to play with the latest
> versions of OS/2) and some other operating systems have operating system
> code residing in ring 2. But IMHO the right platform for NT is MIPS and not
> Intel.

One small detail here - kernel code running on ring 0, and user code running 
on ring 2, that's standard in any multi-user OS, be it on PCs, MIPS, Alpha, 
etc... (well, only PCs CPU have more than 2 rings, but that's a technicality).
So the time it takes to switch from one ring to the next is NOT a reason for 
sluggishness, all other OS have the same overhead... Well, even more so: under 
NT, the GUI is running in ring 0 (it means that if it crashes, your system is 
toast), so that the GUI is a bit more responsive. Compared with other OS 
(OS/2, Linux, FreeBSD etc) where the GUI is running in ring 2, I think MS did 
a poor job... I mean, my Linux GUI is more responsive on my P150/48 Megs than 
NT on a PPro200/64Megs...

> And how I wish for proper telnet for NT!

Aren't we all ?

> With NT 4 (or was it 3.5?), Microsoft moved a lot (all?) of the GDI
> (Grahpics Device Interface) code into ring 2 - one of reasons I think was
> that if the GDI crashes in ring 0 or ring 2 because of buggy GDI driver you
> still have no display to see what happened or to correct it. This has made
> NT's graphics display more "snappier" (or so they say).

See above... The GDI have to be in ring 0 to be able to access the graphic 
card. The reason the GUI moved to ring 0 was to offset the sluggishness of the 

> It seems to me that there must be some tradeoff between how robust you can
> make the o/s, vs. the resulting o/s performance. And then there are also
> limitations with the CPU architecturing. Does pipelining for example work as
> well with a Pentium-based CPU than a RISC-based CPU?

Yes there is. But MS made a botched job of it, partially because of the HAL 
(Hardware Abstraction Layer) that causes all hardware access to be delayed. 
Theorically, it was supposed to make the OS more portable to other hardware... 
So came the Alpha port, and came and went the PPC and MIPS ports...
Meanwhile, Linux (and other OS) do not have that HAL, and ARE ported to many 
more hardware... How funny...

BTW, don't you hate the way under NT the Administrator is NOT able to kill a process owned by any other user ? Makes debugging applications running under IIS damned difficult... I have to reboot every hour or so...

Anyway, I believe we have strayed far from this list's topic, so lets move on.

Christophe Dupre

Indexed By Date Previous: Re: RE: NT as a central intranet firewall
From: tcooper @ hns . com
Next: Re: NT as a central intranet firewall
From: "Craig I. Hagan" <hagan @ cih . com>
Indexed By Thread Previous: Re: NT as a central intranet firewall
From: "Billy Verreynne" <vslabs @ onwe . co . za>
Next: Re: NT as a central intranet firewall
From: "Craig I. Hagan" <hagan @ cih . com>

Search Internet Search