Poll on large sites that deploy Iptables.

Poll on large sites that deploy Iptables.

[Brett Simpson]

We are a large organization, 3000 plus users, considering switching from Checkpoint FW1 to Iptables. I was wondering how many large organizations (1000 plus users) are using Iptables in a production environment?

For those that are using Iptables and were previously using a commercial product what were your reasons for switching and what issues have you seen using Iptables?

Thanks,
Brett

RE: Poll on large sites that deploy Iptables.

[Daniel Chemko]

Brett Simpson wrote:
> We are a large organization, 3000 plus users, considering switching
> from Checkpoint FW1 to Iptables. I was wondering how many large
> organizations (1000 plus users) are using Iptables in a production
> environment?   

I can't speak for concurrent connections, but I know that stability is
pretty good for moderate loads. My network has 100 users with about 10
TB of traffic in the course of 2 months. Linux reboots are rare, but
when you do, you'll want to make sure to update any critical kernel
issues. With so much traffic, any bug could impact your setup
substantially. I can't speak for Checkpoint's qualities, so I'm not the
best reference.

I imagine the best plan would be to take up a test group and object them
to the Linux based gateways and see how THEY like it. I don't think
there should be a show-stopper unless you have a situation that isn't
iptables compatible, like some L5-7 issues, and maybe a few remote-auth
type things.

Net stats:
You can expect to reboot the server quarterly for updates (tested
beforehand on test env.)
I've never had Linux crash, so I assume the mean time error is > 1 year
if you aren't running anything too experimental.
25% CPU utilization on a P4 2.66 (not dual-threaded) when filtering
~120Mb/s of traffic
Concurrent connections exceeding 3000 have never peaked the system
beyond 200MB in the 512MB system (other non-firewall programs as well)

Things to watch out for:
Control your logging because it will get ugly
Plan for proper capacity. 3000 ppl feeding into a T-1 isn't such a big
deal, but if you're edge firewall's hosting a fat pipe, expect to spend
time tuning all of Linux/Netfilter's settings to utilize the best
efficiency. Linux perfect out-of-the-box.
The good thing is that Linux has tons of tools to help you find out
what's going on in the network.
Management time/costs will probably go up due to more baby-sitting the
system. It all depends on how dynamic you network is. The more unique
things you do, the longer it'll take to implement on Linux.

Conclusions
I know it isn't what you wanted, but I hope it gives you some idea on
what to expect.

Re: Poll on large sites that deploy Iptables.

[Ramoni]

Ok, let me show some info about my firewall here:
We have too many aliases in our 5 ethernet interfaces, and some tun 
interfaces. 
This frw is a vpn server too. Do many nats and filter rules.
I'll paste here some line counts just to show you an ideia of this frw:

See some info:


- Iptables rules:
[root(sethi)~]#> iptables -L -n | wc -l
   1313
[root(sethi)~]#> iptables -L -n -t nat | wc -l
    447


- Interfaces: (we have so many aliases here, 5 ethernet interfaces and about 
20 tun interfaces:
[root(sethi)~]#> ifconfig | grep -E "eth|tun" | wc -l
    317


- Routes: We have a laarrge routing table, cause we have many links..
[root(sethi)~]#> route -n | wc -l
    157

- Mem: Rarely we use swap:
[root(sethi)~]#> free
             total       used       free     shared    buffers     cached
Mem:        515544     494492      21052          0     122284     275468
-/+ buffers/cache:      96740     418804
Swap:       498004          0     498004

- Uptime:
[root(sethi)~]#> uptime
 17:57:37  up 58 days,  7:02,  3 users,  load average: 0.00, 0.00, 0.00

- Machine:
[root(sethi)~]#> cat /proc/cpuinfo  | head -8
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 6
model           : 1
model name      : AMD-K7(tm) Processor
stepping        : 2
cpu MHz         : 650.028
cache size      : 512 KB

This frw has a 4mb link to the internet, that is amolst all the time at 90%
[root(sethi)~]#> cat /etc/slackware-version
Slackware 9.1.0

So, I think linux is pretty good for firewall and routing :)





On Wednesday 02 June 2004 17:54, Daniel Chemko wrote:
> Brett Simpson wrote:
> > We are a large organization, 3000 plus users, considering switching
> > from Checkpoint FW1 to Iptables. I was wondering how many large
> > organizations (1000 plus users) are using Iptables in a production
> > environment?
>
> I can't speak for concurrent connections, but I know that stability is
> pretty good for moderate loads. My network has 100 users with about 10
> TB of traffic in the course of 2 months. Linux reboots are rare, but
> when you do, you'll want to make sure to update any critical kernel
> issues. With so much traffic, any bug could impact your setup
> substantially. I can't speak for Checkpoint's qualities, so I'm not the
> best reference.
>
> I imagine the best plan would be to take up a test group and object them
> to the Linux based gateways and see how THEY like it. I don't think
> there should be a show-stopper unless you have a situation that isn't
> iptables compatible, like some L5-7 issues, and maybe a few remote-auth
> type things.
>
> Net stats:
> You can expect to reboot the server quarterly for updates (tested
> beforehand on test env.)
> I've never had Linux crash, so I assume the mean time error is > 1 year
> if you aren't running anything too experimental.
> 25% CPU utilization on a P4 2.66 (not dual-threaded) when filtering
> ~120Mb/s of traffic
> Concurrent connections exceeding 3000 have never peaked the system
> beyond 200MB in the 512MB system (other non-firewall programs as well)
>
> Things to watch out for:
> Control your logging because it will get ugly
> Plan for proper capacity. 3000 ppl feeding into a T-1 isn't such a big
> deal, but if you're edge firewall's hosting a fat pipe, expect to spend
> time tuning all of Linux/Netfilter's settings to utilize the best
> efficiency. Linux perfect out-of-the-box.
> The good thing is that Linux has tons of tools to help you find out
> what's going on in the network.
> Management time/costs will probably go up due to more baby-sitting the
> system. It all depends on how dynamic you network is. The more unique
> things you do, the longer it'll take to implement on Linux.
>
> Conclusions
> I know it isn't what you wanted, but I hope it gives you some idea on
> what to expect.

Re: Poll on large sites that deploy Iptables.

[John A. Sullivan III]

On Wed, 2004-06-02 at 15:54, Brett Simpson wrote:
> We are a large organization, 3000 plus users, considering switching from Checkpoint FW1 to Iptables. I was wondering how many large organizations (1000 plus users) are using Iptables in a production environment?
> 
> For those that are using Iptables and were previously using a commercial product what were your reasons for switching and what issues have you seen using Iptables?
> 
> Thanks,
> Brett
I do not have any massive deployments yet but the ISCS project
(http://iscs.sourceforge.net) is initially based upon iptables as the
firewall and is targeted to large enterprise and carrier networks. 
We've not yet had the opportunity to stress it.  We have placed iptables
based firewalls on some client sites that are smaller than yours but
very avid web users (large, international PR firm) and we've not had
them break a sweat.  They have never gone down.  I'm looking forward to
both the other responses and the day when I can say we have ISCS
deployments numbering thousands of gateways and many tens of thousands
of users - John
-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Poll on large sites that deploy Iptables.

[Brett Simpson]

On Wednesday 02 June 2004 03:54 pm, Brett Simpson wrote:
> We are a large organization, 3000 plus users, considering switching from
> Checkpoint FW1 to Iptables. I was wondering how many large organizations
> (1000 plus users) are using Iptables in a production environment?
>
> For those that are using Iptables and were previously using a commercial
> product what were your reasons for switching and what issues have you seen
> using Iptables?


Thanks for the responses.

I have a few more questions:
Does anyone know of any large firewall sites? Large site would consist of 
large numbers of users, rules, routes, tunnels, or high bandwidth use.

Of those who answered the above question:
Are any of those well known companies (i.e. like AOL, IBM, etc... ) who use 
Iptables?

What version of Linux are they using?

What are they doing for support? (i.e. Redhat, IBM, 3rd party support, mailing 
lists, etc)

How many physical firewalls are deployed?

Is it known if they converted from a commercial firewall? (i.e Checkpoint, 
NetScreen, Cisco PIX, etc)

Thanks in advance,
Brett

Re: Poll on large sites that deploy Iptables.

[Frank Gruellich]

* Brett Simpson <simpsonb@hillsboroughcounty.org>  3. Jun 04:
> Does anyone know of any large firewall sites? Large site would consist of 
> large numbers of users, rules, routes, tunnels, or high bandwidth use.

Some months ago there was a message at the list from Wolfgang Stindl.
<URL:http://lists.netfilter.org/pipermail/netfilter/2004-March/050891.html>

From his address domainpart I could imagine a very large setup, maybe
you can send him a note and ask for some details.

HTH,
 regards, Frank.
-- 
Sigmentation fault

RE: Poll on large sites that deploy Iptables.

[Aldo Lagana]

First off - like AOL, IBM, etc - all use high-end probably cisco routers
which do their firewalling - one cannot get the packet per second throughput
they need without dedicated ASIC-based router/firewalls...

Second - you come from checkpoint world...thats software only - right?  if
so, then netfilter is the equivalent...with netfilter, and added modules
(Squid, KAME IPSec, etc..) you can/will achieve the functionality that
checkpoint had/did...when you worry about thousands of users, then you will
simply have to place your netfilter firewall on a powerful box...one with
good network cards and a fast processor(s)...the same would be true in a
checkpoint implementation to support thousands of users....

short story long - netfilter has all the equivalents of checkpoint including
the hardware requirements for many concurrent connections.


-----Original Message-----
From: Brett Simpson [mailto:simpsonb@hillsboroughcounty.org]
Sent: Thursday, June 03, 2004 9:19 AM
To: netfilter@lists.netfilter.org
Subject: Re: Poll on large sites that deploy Iptables.


On Wednesday 02 June 2004 03:54 pm, Brett Simpson wrote:
> We are a large organization, 3000 plus users, considering switching from
> Checkpoint FW1 to Iptables. I was wondering how many large organizations
> (1000 plus users) are using Iptables in a production environment?
>
> For those that are using Iptables and were previously using a commercial
> product what were your reasons for switching and what issues have you seen
> using Iptables?


Thanks for the responses.

I have a few more questions:
Does anyone know of any large firewall sites? Large site would consist of 
large numbers of users, rules, routes, tunnels, or high bandwidth use.

Of those who answered the above question:
Are any of those well known companies (i.e. like AOL, IBM, etc... ) who use 
Iptables?

What version of Linux are they using?

What are they doing for support? (i.e. Redhat, IBM, 3rd party support,
mailing 
lists, etc)

How many physical firewalls are deployed?

Is it known if they converted from a commercial firewall? (i.e Checkpoint, 
NetScreen, Cisco PIX, etc)

Thanks in advance,
Brett



Visit our website at http://www.p21.com/visit 
The information in this e-mail is confidential and may contain legally
privileged information.  It is intended solely for the person or entity to
which it is addressed.  Access to this e-mail by anyone else is
unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution, action taken, or action omitted to be taken in
reliance on it, is prohibited and may be unlawful.  If you received this
e-mail in error, please contact the sender and delete the material from any
computer. 

RE: Poll on large sites that deploy Iptables.

[Daniel Chemko]

Aldo Lagana wrote:
> First off - like AOL, IBM, etc - all use high-end probably cisco
> routers which do their firewalling - one cannot get the packet per
> second throughput they need without dedicated ASIC-based
> router/firewalls... 

Correct me if I'm wrong, but aren't (at least mid-sized) CISCO firewalls
based on X86's down to the PCI bus and Pentium derived processors? Even
Mid-grade routers are supplying VPN accelerator chips, but I think the
firewall code itself is stored in flash, executed like any other
programs. I doubt IOS uses a lot of hardware acceleration beyond the
CPU. Although I really don't know much since I haven't done much work on
them.

An example:
(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_it
em09186a0080091b17.shtml)
Even the 535's only use PIII 1ghz

RE: Poll on large sites that deploy Iptables.

[Alexis]

Yes, its true but you must isolate 2 concepts here.

PIX doesnt run IOS, it uses a software called pix software (yes, cisco has a
lot of art naming devices). All pixes mid to high range(515E, 525 and 535)
are intel pentium based and in standard configuration they do the encryption
in the main cpu.

Now they made (cisco) a new VAC (VPN accelerator card) that the routers /
switches+routers (like 6500's) and pixes uses to do the encryption via
hardware (those chips are not intel based).

So, PIX uses main x86 proccessors to do the encryption job if there isnt any
VAC installed, in this case all the encryption proccess are passed to the
VAC. It works in the same way in some routers not all.

I hope it helps.

 

-----Mensaje original-----
De: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] En nombre de Daniel Chemko
Enviado el: Viernes, 04 de Junio de 2004 13:40
Para: Aldo Lagana; Brett Simpson; netfilter@lists.netfilter.org
Asunto: RE: Poll on large sites that deploy Iptables.

Aldo Lagana wrote:
> First off - like AOL, IBM, etc - all use high-end probably cisco 
> routers which do their firewalling - one cannot get the packet per 
> second throughput they need without dedicated ASIC-based 
> router/firewalls...

Correct me if I'm wrong, but aren't (at least mid-sized) CISCO firewalls
based on X86's down to the PCI bus and Pentium derived processors? Even
Mid-grade routers are supplying VPN accelerator chips, but I think the
firewall code itself is stored in flash, executed like any other programs. I
doubt IOS uses a lot of hardware acceleration beyond the CPU. Although I
really don't know much since I haven't done much work on them.

An example:
(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_it
em09186a0080091b17.shtml)
Even the 535's only use PIII 1ghz