On Thu, 20 Apr 1995, LEI YI T wrote:
> G'day all,
> I am working on a proposal to deploy a firewall internally between secure
> and insecure portions of a corporate network.
> We don't yet have firm constraints, but I know that a forwarding rate across
> the "wall" of at least 750 packets per second will be required based on
> current statistics from a router. I believe this will turn out to be more
> like 2500 packets per second once the firewall is implemented.
Across what? Local ethernet segments I assume?
> No data as to the numbers or types of concurrent connections is yet
> available, but several hundred (mostly idle of course) telnet sessions are
> likely to be required, along with perhaps 50 simultaneous FTP transfers.
> Interactive telnet speed (ie packet latency) is more important that raw data
> throughput rate. Other types of proxies (SNMP, WWW) are likely, but will be
> of less frequency and significance.
> A few problems have occurred to me:
> 1. Are any numbers available on performance constraints for a TIS firewall?
> How much memory is required for a new Telnet, FTP or other type of proxy
> connection? Is a new process forked?
A new process will be spawned by inetd to service the request. It will
do a quick lookup to make sure it's legit based on all sorts of rules.
This only happens at the beginning of a session, not with each arriving
> 2. Is there a "magic" upper limit on forwarding or connections which cannot
> be exceeded?
Good question. I think the limits are based on the resource limits of
the system, not the toolkit. Marcus?
> 3. What type of box will be necessary (assuming we choose TIS) to service
> this type of load? Will one (fault tolerant) box be sufficient?
Last week I ran ftp-gw on a 90 MHz pentium. It happened to have 64 MB of
ram, which is much more than necessary, and two ethernet cards. I got
somewhere around 800KB/sec thruput at almost 100% cpu utilization. I
didn't pursue it much farther: we only have a T1 and 800K is about 5
times the T1 bandwidth.
> 4. If one box will not suffice (assumed), then is it possible to deploy
> multiple boxes and direct specific traffic at each box? If the device looks
> like a router (my assumption), is such traffic splitting viable without
> static routes in clients?
The fwtk does not look like a router. It is possible to split the load a
number of ways: by function is one - put ftp-gw on one system, tn-gw on a
second, etc. etc. You can also do it by playing games with DNS, so that
ftp-proxy.abc.com brings up revolving IP addresses, thus dishing requests
off to different boxes.
> 5. If it is not possible to direct traffic to specific gateways, are there
> any other options for load sharing?
> maLogic SafeWord authentication system with the TIS firewall a good idea? IE
> Do you take a further performance hit?
> Any advice would be much appreciated.
Hope this helps some:)
It's *amazing* what one can accomplish when
one doesn't know what one can't do!