Great Circle Associates Firewalls
(November 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Secure subnet and prformance
From: Ted Lemon <mellon @ ipd . wellsfargo . com>
Date: Wed, 02 Nov 1994 15:23:47 -0800
To: "Peter Summers, Computer Engineer, Cardiology" <PETER @ cardiology . medrmh . unimelb . edu . au>
Cc: firewalls @ greatcircle . com
In-reply-to: Your message of "Thu, 03 Nov 1994 09:15:41 +1000." <90574B2A25 @ cardiology . medrmh . unimelb . edu . au>

I do not run a DEC SEAL gateway, so I don't know any specifics.  The
original poster's statement is probably true for his environment.
However, one of my Internet accounts does go through a DEC SEAL
gateway, and I routinely experience abysmal performance telnetting
through the DEC SEAL telnet proxy server to hosts on the other side of
the gateway.

This could be a problem with the internet feed on the other side of
the firewall, or it could be the firewall itself.  I have no way of
isolating these factors, since I don't run the gateway.  My gut
feeling is that the bastion host is having scheduler problems, but
that's not an objective evaluation.

If you want a real answer to this question, you'll have to get a SEAL
box in, hook some machines up on either side of it, and actually
measure performance through the firewall given loads similar to what
you're expecting to have.   I have never seen benchmarks like this for
any commercial firewall.   I'd be very interested to.

The thing that most surprised me was the apparent claim that the
firewall had no performance limitations.  This can't be true - if
nothing else, there are absolute limits on the performance of the
system bus.  Long before those limits are hit, I would expect to see
problems with the I/O and CPU scheduling algorithms used in OSF/1 (or
Ultrix, for that matter).   What may be true is that the performance
limits are greater than the bandwidth of the connection(s) on the
other side.   I could be convinced of this (indeed, I believe this is
true for the filtering router), but I haven't seen any evidence yet.

			       _MelloN_


--
Ted Lemon		      Wells Fargo Bank, Information Protection Division
twlemon @
 ipd .
 wellsfargo .
 com					+1 415 477 5045


Follow-Ups:
References:
Indexed By Date Previous: Re: Ohhhhhh Noooooooo
From: Jeff Murphy <jcmurphy @ cadman . cit . buffalo . edu>
Next: DOOMed
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread Previous: Re: Secure subnet and prformance
From: "Peter Summers, Computer Engineer, Cardiology" <PETER @ cardiology . medrmh . unimelb . edu . au>
Next: Re: Secure subnet and prformance
From: "Roger Masse's the named" <rmasse @ unix . CNRI . Reston . VA . US>

Google
 
Search Internet Search www.greatcircle.com