>The reason is that performance thru a firewall is lousy, by any definition of
>"lousy". The reason is that you are violating the rules of performance that
>the network folks figgured out back in the datk ages of IP (1987 or so):
Not going to attribute this because IMNSHO it is at best, wrong. True but
wrong.
The reason that firewalls are not designed to handle T1+ speeds (though
several can apparantly handle c.a. 3 Mbps) is that the market is not there.
To get that kind of speed you do not use Ethernet. But more important, most
people do not have more than T-1 and few need that kind of connect rate with
the outside.
Now if I really wanted speed, would not use a router (which most firewalls are)
in the first place, I would use a rules-based parallel sieve to make decisions.
However few people need that kind of "cross the wall" bandwidth. Rather the
bulk of the communications today within a department are just that, within
a department and never need pass through the router/bridge (think a posting
a few days ago got this confusion started).
For the most part, a good PC is only capable of about 160 kbps max (and I see
many operating at about 60kbps - at that a 56kbps line could just about
keep up with one user.
I really think the poster was overemphasizing the importance of raw speed. Of
course if you have a three-mile-long ACL and allow every service up to and
including DOOM, performance will suffer. On the other hand, a restricted
link with a well-thought-out ACL can be quick enough for most systems to be
able to handle it.
Warmly,
Padgett
|
|
