[unisog] High speed firewalls - Connections per second not bits per second

Florian Weimer fw at deneb.enyo.de
Mon Feb 21 22:17:34 GMT 2005


* Jim Mayne:

> So my question is do you all know of firewalls, stateful inspection and
> not just ACL's on routers, that can really handle large numbers of
> connections per second? I see a lot about bps but not too much about
> cps.

There simply are no affordable devices that can handle millions of
connections per second (or just hundreds of thousands).  Some devices
can automatically blacklist source or destination addresses which
generate too many flows.  But this only trades lots of fine-grained
state information for less coarser state information and doesn't solve
the inherent problem.  It can easily backfire, too.

You have to rethink your network design if you run into your problems.
Either switch to stateless filtering where feasible (and use
application-layer gateways for the rest), or add more stateful
filtering devices, preferably in a way that geographically localizes
failures (for socially enforced rate limits).  You could also put a
separate stateless filter in front of your Checkpoint box.  At least,
this would give you some response mechanism, altough it's a bit
ridiculous.



More information about the unisog mailing list