[Dshield] Query regarding Gigabit Firewalls

John Draper crunch at shopip.com
Fri Sep 6 20:53:55 GMT 2002


>Hi,
>	Iam looking at Gigabit Firewalls and trying to get a list
>	of what issues will occur when trying to Firewall at that speed.
>	Has anybody done any work in this area they are willing to share ?

Yes,  I have...   First,  let me explain our test setup.   Using 33 Mhz PCI Bus speeds,   all we were able to get was 210 mb/sec throughput in our early lab tests.   Te "bottleneck" is the PCI Bus speed if you use Gigabit NIC's using PCI interface.

But if you get a CPU with 66 MHZ,  PCI bus speeds,  your throughput cap could me up to about 500 mb/sec.    IN either of these speeds,  we get 30 - 40% cpu usage at these rates (FULL ON TRAFFIC - using a traffic generator with Fiber Optic OC148 traffic emulator.   Of course if you "hammer" a LAN at these rates,  you'll hose the NAT tables in about 15 seconds...  So we ran it in "bridge" mode.   We had Snort running with ALL of the IDS rules turned on....    turning off snort only gave us about 5% reduction in CPU usage.   We were using an Athlon 1900+ for the tests,  with 33 Mhz PCI bus speed.   running OpenBSD.
>
>	I can see a number of issues occurring whereby any attempt
>	to log the streams could end up with serious system problems
>	involving write caching to disks, interrupt levels on buses
>	and the system being very sensitive to DOS attacks.

Yes - these issues are "real" and IDS logs sould be piped off the target machine ASAP of course,  but in a way as to not hose the loggers.
>
>	There are a some products on the market which claim to firewall 
>	at this speed including the new Netscreen 5000 series, PIX 535's 
>	and Nokia 700 products. They all used specialised ASIC's and/or 
>	certified Gbit cards. Any comments would be appreciated.

Yes,  and for good reason....   just use some other then PCI GB NIC's,  or ones that wont run into the "copper" limit.   But these are expensive,  but when it comes to security,  one should NOT be concirned with expense.

John





More information about the list mailing list