Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: RE: High Speed Firewalls

Re: RE: High Speed Firewalls

From: Crispin Cowan <crispin_at_wirex.com>
Date: Tue, 14 Mar 2000 00:20:33 +0000

David Newman wrote:

> > The "headers" stuff degrades throughput.
>
> Right. So you agree, then, that even in theory it's not possible to move 100
> Mbits of *user data* (e.g., a 12.5-Mbyte file) in 1 second over fast
> Ethernet?

Agreed.

> > The other stuff
> > degrades latency.
>
> They also degrade throughput. SYNs, FINs, and 3-way handshakes puts bits on
> the wire too, and get counted in a throughput measurement (see RFC 1242). If
> you're speaking of application-layer throughput (e.g., what wu-ftpd reports)
> the overhead doesn't get counted -- but that measurement will never report
> moving 12.5 Mbytes/second unless the implementation is seriously broken.

True. I had forgotten about the SYN & ACK traffic on a simplex line.

So now there's lots of reasons why application layer bandwidth never can reach
raw "line-speed" bandwidth. However, none of those reasons have anything to do
with a firewall being in the way. I continue to assert that for whatever the
upper bound is on network throughput, it is possible to put a big badass
firewall in the way, and with sufficient memory and computes in the firewall,
run that puppy at the same *throughput* as the un-mediated line.

Consider an analogy to the New Jersey Turnpike:

   * cars are like packets
   * latency is the transit time from NYC to DC
   * throughput is the number of cars per hour past a given point
   * toll booths (like firewalls) do inspection, and definitely affect latency
   * if the power of the toll booth (how many booths you have) is insufficient,
     then they cause a backlog, cars/packets queue up, and throughput degrades
   * if the power of the toll both is sufficient, then all cars/packets get
     their own booth upon arrival, and throughput is not affected

Continuing the analogy, if you were to do something like encapsulation or
tunneling (wrapping packets inside packets, a la IPSec) then you have added
headers, making the payload packets bigger. This is as if you made all the
cars 45 feet long, degrading the number of cars that can pass a given point per
hour (because they can't pack as close together). *That* will degrade
throughput, no matter how much compute power you put in the firewall.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
                  JOBS! http://immunix.org/jobs.html
Received on Mar 21 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]