Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] FireWall-1 and Dual CPU machine

To: "Vincent, Mike" <[email protected]>
Subject: Re: [FW1] FireWall-1 and Dual CPU machine
From: CryptoTech <[email protected]>
Date: Mon, 19 Feb 2001 12:10:38 -0500
Cc: "'[email protected] '" <[email protected]>, "'[email protected] '" <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]
VPN is still a security server process.  It is not the inspection code itself, which
is what constitutes a FireWall.  Again,
Inspect engine=Firewall=non-multithreaded
Securityservers=ufp/cvp/vpn=added functionality pieces=userconfigurable.

But thanks for the input.
CT

"Vincent, Mike" wrote:

> That is mostly true.  Under 4.1 with Service Pack 3 and VPNx (free download
> >from Checkpoint) installed encryption/decryption is multi-threaded on
> Solaris and Windows NT.
>
> -----Original Message-----
> From: CryptoTech
> To: [email protected]
> Cc: [email protected]
> Sent: 2/10/01 11:23 PM
> Subject: Re: [FW1] FireWall-1 and Dual CPU machine
>
> <rant>
> Come on people,  HOW MANY TIME DOES IT HAVE TO BE STATED-----
>
> FIREWALL-1 IS NOT MULTITHREADED.  If you run security servers, they can
> run multiple
> instances with each bound to a separate processor, but the core code is
> NOT
> multithreaded.
>
> </rant>
> Seriously, the documentation will make this clear.
>
> [email protected] wrote:
>
> > fyi,
> >
> > linux 2.4.1 kernel has MUCH better networking stats, and infact its
> > multithreaded... from what I understand.
> >
> > On Sat, 10 Feb 2001, Peter Lukas wrote:
> >
> > >
> > > Even with a GigE adapter, the bottleneck is the processor as it
> crunches
> > > through the policy.
> > >
> > > The newer 900MHz UltraIII's would most likely enable you to approach
> the
> > > capacity of the 100Mbps ethernet adapter, but for sustained
> throughput, it
> > > may not come close.
> > >
> > > Some of the newer GHz x86 processors could probably tap a keg of
> whoopass
> > > on crunching through the policy and you may approach 100Mbps and
> > > beyond.  You'd then need to bundle into that configuration some
> speedy
> > > memory, etc.
> > >
> > > The newer processors from AMD and (when they get their act together)
> Intel
> > > are capable of crunching through policy relatively well.  Add that
> with
> > > faster memory, etc (should DDR-SDRAM materialize), and your x86
> firewall
> > > will most likely smoke a Solaris/Sun-Based firewall.
> > >
> > > The real problem here is that you only have Linux or NT on which to
> run
> > > CP.  Since neither can handle packets as well as Solaris, and Nokia
> > > selfishly clings to their IPSO/FreeBSD CP binary, we don't have a
> > > more efficient OS to slap atop this newer, speedier hardware.
> > >
> > > Either we pressure Nokia/CP to release native *BSD binaries of their
> > > product, or we wait for Nokia to "support" better and more capable
> > > hardware.
> > >
> > > Peter Lukas
> > >
> > > On Tue, 6 Feb 2001, Craig Skelton wrote:
> > >
> > > >
> > > > Couldn't agree more. The ultra60 is such a nice desktop :). I
> fully believe
> > > > in single purpose firewalls. Why waste cpu cycles on any other
> task.
> > > >
> > > > Have you tried any gigbit adapters at fast ethernet speeds? (Or
> has anyone?)
> > > > I'm wondering if that is not the *best* way to get maximum
> performance.
> > > >
> > > > Has anybody got any references for how disk speed affects fw1? I'm
> assuming
> > > > that the faster the drive, the faster the logging. Does that
> increase fw1
> > > > performance at all? I would think that it would at least reduce
> the memory
> > > > footprint a bit (If log entries are buffered in memory before
> being
> > > > written.) Comments anyone?
> > > >
> > > > Cheers,
> > > > Craig
> > > >
> > > > ----- Original Message -----
> > > > From: "Peter Lukas" <[email protected]>
> > > > To: "Craig Skelton" <[email protected]>
> > > > Cc: "William Pope" <[email protected]>;
> <[email protected]>;
> > > > <[email protected]>
> > > > Sent: Tuesday, February 06, 2001 6:43 AM
> > > > Subject: Re: [FW1] FireWall-1 and Dual CPU machine
> > > >
> > > >
> > > > > THis is precisely what the Nokia folks realized in their
> devices.  A
> > > > > celeron with 64MB is going to do just as well when pusing policy
> as a Sun
> > > > > Ultra60 (can you believe these are being used as firewalls?
> Nice graphics
> > > > > on your "headless" firewall).
> > > > >
> > > > > PCI is PCI is PCI - for the most part at least.  Some
> implementations
> > > > > leave much to be desired (thanks 810).
> > > > >
> > > > > However, the SunQFE can ride the 66MHz 64-bit PCI bus if
> configured
> > > > > properly.  That'll provide some improvement over the 33MHz
> jalopy riding
> > > > > the Nokia Intel MB.  I believe the Micron folks implemented a
> Samauri
> > > > > chipset (a pre-AGP concoction) which accomplished the same
> thing.  On the
> > > > > downside, the extremely high markup of the four Intel speedo's
> with a Sun
> > > > > emblem on the Sun QFE is ludicrous.  Looks like they fostered
> the Nokia
> > > > > markup as well.
> > > > >
> > > > > I've had a relatively high failure rate on the Luna PCI adapter
> (see
> > > > > previous threads of failing Luna PCI's with an "E.T." syndrome).
> The
> > > > > point of the post was that the UltraSPARC can be much faster
> than the
> > > > > Intel SA-110 on the LUNA PCI adapter.  I'm not sure how the
> "Soft" LUNA is
> > > > > licensed.  This only benefits VPN users who were conned into
> buying SMP
> > > > > powerhouses for their firewall device, though.
> > > > >
> > > > > -pl
> > > > >
> > > > > On Tue, 6 Feb 2001, Craig Skelton wrote:
> > > > >
> > > > > > Memory, bus speed, adapter speed, and base processor speed are
> the
> > > > biggest
> > > > > > factors in FW1 performance.
> > > > > >
> > > > > > The Luna VPN card will increase preformance only if you are
> implemeting
> > > > a
> > > > > > VPN. If you don't plan on using an IKE or IPSEC VPN then it
> won't do
> > > > > > anything for you. (Although they are cool if you do.)
> > > > > >
> > > > > > One thing people missed is the bus speed of your machine. This
> is a big
> > > > > > deal. You should examine the bus speed of the machine, and the
> ability
> > > > of
> > > > > > the ethernet adapters to utilize that top speed. Some docs
> suggest that
> > > > > > gigabit cards will support slightly higher speeds even when
> run at Fast
> > > > > > Ethernet speeds. Stands to reason that the higher the
> performace
> > > > capability,
> > > > > > the better the performance at nominal speeds. Obviously, if
> you already
> > > > own
> > > > > > the machine, then you might not get to choose, but a slow bus
> speed
> > > > might
> > > > > > mean that you are better off upgrading now (or that the second
> proc
> > > > won't
> > > > > > matter).
> > > > > >
> > > > > > For dual cpu info, you should check the doc at:
> > > > > >
> > > >
> http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performan
> ce.h
> > > > > > tml
> > > > > > "SMP (2-4 CPUs) has the most effect on Resource and VPN
> policies
> > > > performance
> > > > > > (up to 35-54% performance improvement). Make sure to run
> multiple
> > > > instances
> > > > > > of security servers (see the VPN-1 Tuning chapter). "
> > > > > >
> > > > > > If you run lots of security servers, or have many people
> viewing
> > > > logfiles
> > > > > > (nt clients being worse than command line warriors) then the
> dual cpu
> > > > will
> > > > > > really help. Especially if they are not too good at refining
> their
> > > > > > selections. Obviously, the kernel modules are monolithic (most
> likely
> > > > due to
> > > > > > severe security issues in multi-threaded kernel mods). The
> security
> > > > servers
> > > > > > and other portions of vpn1/fw1 are not. (pbind etc. to take
> advantage.)
> > > > You
> > > > > > should run multiple instances to increase preformance.
> Multiple
> > > > instances
> > > > > > will ensure that the second cpu is truely utilized (at least
> on
> > > > solaris.). I
> > > > > > doubt there is much need for more than a dual box.
> > > > > >
> > > > > > As far as I am aware, there are no specific dual processor
> tuning points
> > > > for
> > > > > > fw-1 on solaris (if you hear of any, let me know.) You might
> want to
> > > > take a
> > > > > > look at sunsolve.sun.com for the doc id 1442 (white papers/
> tech
> > > > bulletins).
> > > > > >
> > > > > > Cheers,
> > > > > > Craig
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Peter Lukas" <[email protected]>
> > > > > > To: "William Pope" <[email protected]>
> > > > > > Cc: <[email protected]>
> > > > > > Sent: Monday, February 05, 2001 6:42 PM
> > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > I did notice a version of the Luna VPN driver optimized for
> the
> > > > dormant
> > > > > > > CPU.  Seeing as how a relatively fast UltraSPARC can
> effectively dust
> > > > the
> > > > > > > StrongARM on the Chrysalis-ITS, it may be worth a looksee
> for people
> > > > who
> > > > > > > ended up purchasing a multi-CPU system for their firewall...
> > > > > > >
> > > > > > > -peter
> > > > > > >
> > > > > > > On Mon, 5 Feb 2001, William Pope wrote:
> > > > > > >
> > > > > > > >
> > > > > > > > I do not think that Checkpoint has released a
> multithreaded version
> > > > of
> > > > > > > > Firewall-1 yet.  I have had some luck using pbind & renice
> to force
> > > > the
> > > > > > > > Checkpoint services to the second processor leaving the
> first for
> > > > the
> > > > > > O/S.
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: [email protected]
> > > > > > > > [mailto:[email protected]]On
> Behalf Of
> > > > > > Vincent,
> > > > > > > > Mike
> > > > > > > > Sent: Monday, February 05, 2001 10:59 AM
> > > > > > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis'
> '
> > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Checkpoint did release a multi-threaded device driver to
> accelerate
> > > > > > > > encryption and decryption on SMP SPARC/Solaris and Windows
> NT
> > > > systems.
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Damon Starkey
> > > > > > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis'
> > > > > > > > Sent: 2/5/01 10:15 AM
> > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > >
> > > > > > > > I was told no when I went through the Checkpoint
> Certification.  It
> > > > > > > > benefits from a good amount of memory.
> > > > > > > >
> > > > > > > > Damon Starkey
> > > > > > > > Network Administrator
> > > > > > > > Digital Access Corporation
> > > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Arie Gilboa [mailto:[email protected]]
> > > > > > > > Sent: Monday, February 05, 2001 9:44 AM
> > > > > > > > To: 'fw-1 Mailinglis'
> > > > > > > > Subject: [FW1] FireWall-1 and Dual CPU machine
> > > > > > > >
> > > > > > > > Hello!,
> > > > > > > > I would like to instal CP-2000 on Dual CPU Solaris
> machine.
> > > > > > > > Does CP-2000 software know to use more than one CPU ?. Is
> there any
> > > > > > > > special configuration which should be done ?.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Arie Gilboa
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > > > ====
> > > > > > > >      To unsubscribe from this mailing list, please see the
> > > > instructions
> > > > > > at
> > > > > > > >
> http://www.checkpoint.com/services/mailing.html
> > > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > > > ====
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > ====
> > > > > > > >      To unsubscribe from this mailing list, please see the
> > > > instructions
> > > > > > at
> > > > > > > >
> http://www.checkpoint.com/services/mailing.html
> > > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > ====
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > ====
> > > > > > >      To unsubscribe from this mailing list, please see the
> > > > instructions at
> > > > > > >
> http://www.checkpoint.com/services/mailing.html
> > > > > > >
> > > > > >
> > > >
> ========================================================================
> ====
> > > > > > ====
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> ========================================================================
> ========
> > > >      To unsubscribe from this mailing list, please see the
> instructions at
> > > >               http://www.checkpoint.com/services/mailing.html
> > > >
> ========================================================================
> ========
> > > >
> > >
> > >
> > >
> > >
> ========================================================================
> ========
> > >      To unsubscribe from this mailing list, please see the
> instructions at
> > >               http://www.checkpoint.com/services/mailing.html
> > >
> ========================================================================
> ========
> > >
> >
> > --
> > --Paul
> >
> >
> ========================================================================
> ========
> >      To unsubscribe from this mailing list, please see the
> instructions at
> >               http://www.checkpoint.com/services/mailing.html
> >
> ========================================================================
> ========
>
> ========================================================================
> ========
>      To unsubscribe from this mailing list, please see the instructions
> at
>                http://www.checkpoint.com/services/mailing.html
> ========================================================================
> ========
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
References:
- RE: [FW1] FireWall-1 and Dual CPU machine
  - From: "Vincent, Mike" <[email protected]>
Prev by Date: Re: [FW1] FireWall-1 and Dual CPU machine
Next by Date: Re: [FW1] FireWall-1 and Dual CPU machine
Previous by thread: RE: [FW1] FireWall-1 and Dual CPU machine
Next by thread: [FW1] Natting two 10.0.0.0 networks
Index(es):
- Date
- Thread