OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [fw-wiz] FW-1 throughput question
From: Aaron Turner (aturnervicinity.com)
Date: Wed May 17 2000 - 16:52:14 CDT

People who know more than I tell me so. :) I think I found it
mentioned once on SunSolve as well, but damned if I can remember where.

Let me be clear here though. If you're doing a lot of host (like a ftp
server) traffic, then yes, multiple CPU's will help you. That does not
hit the routing "engine" of the Solaris kernel. However in a firewall
application like FW-1, it does route packets between interfaces, which
would incurr the scaleablity hit. 

-- 
Aaron Turner        aturnervicinity.com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

On Sat, 13 May 2000, Darren Reed wrote:

> In some email I received from Aaron Turner, sie wrote:
> > 
> > The part of the Solaris kernel that routes packets (FW-1 is a router) is
> > single threaded.  Hence, max throughput is determined more by the speed of
> > the CPU than the number of CPU's.  Two CPU's is probably the sweet spot in
> > terms of price/performance for sites needing a lot of throughput.  (The
> > other CPU would be dedicated to other OS/Firewall tasks such as logging.)
> 
> Hmmm.  What makes you believe it is single threaded ?  I've not seen any
> evidence which would support that theory.  I've definately seen crashes
> where there have been numerous threads coming up through hmeread().  One
> CPU per interface.
> 
> Darren
>