RE: Firewall performance

Marcus J. Ranum (mjrnfr.net)
Wed, 23 Jun 1999 20:57:43 -0400

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Stephen P. Berry: "Re: Firewall RISKS"
• Previous message: sean.kellylanston.com: "RE: Firewall performance"
• Next in thread: David LeBlanc: "RE: Firewall performance"
• Reply: David LeBlanc: "RE: Firewall performance"

>* The TCP/IP stack (which is to some degree the OS) -- NT is reputed to have
>a sub-par TCP/IP stack as far as performance is concerned. ie. Max
>throughput for a single socket in NT will generally be less than on Solaris,
>etc. The best software in the world can only send and receive data as
>quickly as the TCP/IP stack can manage.

Depends on whether or not it's a proxy firewall or a filter. A
lot of the vendors that make NT-based firewalls access data just
above NDIS, then make a go/no-go decision at that point. Doing
that eliminates NT's IP stack entirely. Same applies for a Checkpoint
running on Solaris - the IP stack only comes into play when a
packet is permitted up the stack to the machine itself (which is
usually a bad idea!)

Some of the NT firewalls perform pretty well, in fact, since
NT is really just acting as a GUI and program loader/filesystem
while the firewall itself is basically a kernel mode device
driver.

mjr.

--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

• Next message: Stephen P. Berry: "Re: Firewall RISKS"
• Previous message: sean.kellylanston.com: "RE: Firewall performance"
• Next in thread: David LeBlanc: "RE: Firewall performance"
• Reply: David LeBlanc: "RE: Firewall performance"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:01 CDT