Firewall Wizards mailing list archives
Re: 1Gb/s 3DES (Was RE: Firewall Throughput)
From: Peter Bruderer <brudy () bruderer-research com>
Date: Sun, 17 Sep 2000 09:16:42 +0200
As I can remember FW-1 was never really fast. 2 years ago I had a complaining customer, because FW-1 4.0 on a Sun Ultra 2 with 2 CPUs with NAT let only 90KByte/s of FTP traffic pass. If FW-1 was disabled the same machine had a throughput of 560KByte/s. The same box running SunScreen SPF-200 had a throughput of 380Kyte/s (FTP with NAT). At that time I found out, that FW-1 did not use threads. I was told by SUN, that FW-1 always will run on just one CPU, even if you have multiple CPUs in a machine. I do not know, if the latest version of FW-1 supports threads now. But if FW-1 can not even compete with a NS100 (speed!) why should it be able to compete with NS1000, which is about 10 times faster? BTW the VPN 3DES throughput of a NS100 is 85MBit/s. (measured myself, not read in a paper!) "Volker Tanger" <Volker.Tanger () globalone net> writes:
The NS1000 specifications are as follows...these are the industry standards in FW Throughput. Ø 1Gb/s stateful-inspection NAT firewall Ø 1Gb/s 3DES VPNYou'll forgive me for being sceptical, but that's a _lot_ of 3DES throughput.For comparison: according to the Checkpoint, the raw packet throughput of its own Firewall-1 does not exceed 250 MBit/s (http://www.checkpoint.com/products/firewall-1/pbrief.html). 3DES throughput even with hardware 3DES accelerator (http://www.checkpoint.com/products/vpn1/vpn1perfdata.html) does not exceed 60 MBit/s. A difference by factor 4 with raw throughput is believable - but for factor 20 against hardware accelerated VPN I'd like to be doubtful, too.
have fun ... -- =============================================================== Peter Bruderer mailto:brudy () bruderer-research com Bruderer Research GmbH Tel ++41 52 620 26 53 IT Security Services Fax ++41 52 620 26 54 CH-8200 Schaffhausen http://www.bruderer-research.com =============================================================== _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- 1Gb/s 3DES (Was RE: Firewall Throughput) Ben Nagy (Sep 14)
- Re: 1Gb/s 3DES (Was RE: Firewall Throughput) Volker Tanger (Sep 16)
- Re: 1Gb/s 3DES (Was RE: Firewall Throughput) Peter Bruderer (Sep 18)
- RE: 1Gb/s 3DES (Was RE: Firewall Throughput) Robert Purdy (Sep 19)
- RE: 1Gb/s 3DES (Was RE: Firewall Throughput) Aaron Turner (Sep 20)
- Re: 1Gb/s 3DES (Was RE: Firewall Throughput) Peter Bruderer (Sep 18)
- Re: 1Gb/s 3DES (Was RE: Firewall Throughput) Volker Tanger (Sep 16)
- <Possible follow-ups>
- RE: 1Gb/s 3DES (Was RE: Firewall Throughput) Sigler, Karl (Sep 16)
- Re: 1Gb/s 3DES (Was RE: Firewall Throughput) Yoann LeCorvic (Sep 18)