concurrent connections

concurrent connections

[Naleendra]

[-- Attachment #1: Type: text/plain, Size: 556 bytes --]



	Hi List,

	I have a customer of mine who needs a firewalling solution. However
they have given specification guidelines such as,

	170 Mbps throughput 
	125,000 simultaneos connections

	I looked up the Cisco site & they have products to support this.
Only thing to note  was the micro-processor & Memory which varied from AMD
133 to Intel 1Ghz for their range of models. In order to match this what is
the spec that I could go for in the Linux Server. Is their any sort of
yard-stick or rule of thumb for this purpose ?

 Thanks in advance

 naleendra

[-- Attachment #2: Type: text/html, Size: 1387 bytes --]

Re: concurrent connections

[Roberto Nibali]

Hello,

>         I have a customer of mine who needs a firewalling solution. 
> However they have given specification guidelines such as,
> 
>         170 Mbps throughput
>         125,000 simultaneos connections

How many rules do you expect to have and how many NICs are involved? How long do 
those 125000 simultaneous connections last in an average case?

>         I looked up the Cisco site & they have products to support this. 
> Only thing to note  was the micro-processor & Memory which varied from 
> AMD 133 to Intel 1Ghz for their range of models. In order to match this

I seriously doubt that an AMD133 could perform that well.

> what is the spec that I could go for in the Linux Server. Is their any 
> sort of yard-stick or rule of thumb for this purpose ?

It all depends a little bit on the design you're going to have. I mean it is 
perfectly ok to filter 170 Mbps on a Linux box provided you don't have state 
match and a lot of rules and probably LSM in your kernel.

You will definitely need a lot of testing before you can actually sell your box 
but someone with such giant requirements certainly has enough money to pay you a 
test environment too. At least that's what I've experienced with such customers.

Also you might need a buttload of memory for such a system. Assume for example 
that one connection needs only 256 bytes and it will only last for 30 seconds 
you would have (as a worst case with a 30 second peak rate):

ratz@zar:~ > echo "125000*256*30/1024/1024" | bc -l
915.52734375000000000000
ratz@zar:~ >

That would be MBytes ;), provided I didn't misinterprete something and that bc 
works correctly. I mean nothing is really impossible as we stride towards better 
kernels and high end servers.

Best regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

Re: concurrent connections

[Ben Russo]

On Wed, 2002-11-06 at 04:03, Naleendra@dms.lanka.net wrote:
> 
> 
> 	Hi List,
> 
> 	I have a customer of mine who needs a firewalling solution. However
> they have given specification guidelines such as,
> 
> 	170 Mbps throughput 
> 	125,000 simultaneos connections
> 
> 	I looked up the Cisco site & they have products to support this.
> Only thing to note  was the micro-processor & Memory which varied from AMD
> 133 to Intel 1Ghz for their range of models. In order to match this what is
> the spec that I could go for in the Linux Server. Is their any sort of
> yard-stick or rule of thumb for this purpose ?
> 
>  Thanks in advance
> 
>  naleendra

In a former professional position I deployed many Linux based firewalls
for 24x7 commercial production networks.  After deploying about 3 or 4
such production networks I realized that the management of the firewalls
in a dynamic network environment is very expensive in terms of man
hours.

On IBM Netfinity Servers (I think they were 7500's? 4U boxes?) Running
stock RedHat 7.2 kernels with some expensive Quad Fast Ethernet NIC's
with custom drivers from the manufacturers and a huge but simple
firewall ruleset, we never managed to push more than about 30Mbps
through the firewall.  Granted for what we were using them for that was
sufficient at the time, so we didn't worry about it.  I'm sure that
if we had taken the time to carefully configure the kernel and the
drivers and all the little tweaks and settings we could have increased
that number dramatically.

However I think that with Standard PC hardware and a Linux OS you may be
hard pushed to get a sustained 170Mbps on a stateful firewall with
125,000 connections.

(just an offhand thought...) You might consider breaking up the traffic
through different firewalls by seperating your network nodes onto
different subnets. and putting a router in front of your firewalls to
spread the load. But when you do this you enter into the firewall
management issue of having many different firewalls to be managed with
so-so management tools.

I may get flamed for saying this on this list, but for that big of a
firewall, and *expecially* if you are going to have more than 3 of them,
I would recommend that you look into a dedicated firewall appliance with
a firewall management GUI.  Something like a NOKIA box or CISCO PIX or
whatever.  I don't have much experience with them, but I really like the
CheckPoint management interface.


-Ben.