|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FireWall-1 and Dual CPU machine
The THREAD may very well have started with what you are talking about. But you replied to MY email. This is the point where you went off on a seemingly random rant. A rant who's topic had NOTHING to do with my post. I totally agree that it is "non-beneficial" to listen to your useless rants. And so I won't. On Mon, 19 Feb 2001, CryptoTech wrote: > Unless you are totally daft, then you will note that the thread you sent regards the > benefits of dual cpu and the statement that the major limitation is to be the bus speed. > This must be the source of the same insecurity in firewall knowledge that leads you to > continue this nonsensical, and definitely non-beneficial thread. > > FACT: > Linux can be compiled with SMP/multithreading. > [email protected] has stated this more times than my processor can compute > > Firewall-1 Inspect (that is the Firewall in the product Firewall-1) is not. It's security > servers can be, as well as the vpn portion (genuine thanks to Mike Vincent,) if so > configured. > > I think this thread and argument have gone on long enough for everyones taste, so why don't > we let things lie. > > Best Regards, > CryptoTech > > [email protected] wrote: > > > I think you have a reading comprehension problem. I had this when I was > > in elementary school, but I beleive I have overcome it. Quite obviously > > you have NOT. > > > > I was quite obviously stating that LINUX KERNEL networking is multi > > threaded. > > > > Now this is the second time that you have done this to me. I have never > > had to filter a persons email address to /dev/null before... > > > > On Sat, 10 Feb 2001, CryptoTech wrote: > > > > > > > > <rant> > > > Come on people, HOW MANY TIME DOES IT HAVE TO BE STATED----- > > > > > > FIREWALL-1 IS NOT MULTITHREADED. If you run security servers, they can run multiple > > > instances with each bound to a separate processor, but the core code is NOT > > > multithreaded. > > > > > > </rant> > > > Seriously, the documentation will make this clear. > > > > > > > > > > > > [email protected] wrote: > > > > > > > fyi, > > > > > > > > linux 2.4.1 kernel has MUCH better networking stats, and infact its > > > > multithreaded... from what I understand. > > > > > > > > On Sat, 10 Feb 2001, Peter Lukas wrote: > > > > > > > > > > > > > > Even with a GigE adapter, the bottleneck is the processor as it crunches > > > > > through the policy. > > > > > > > > > > The newer 900MHz UltraIII's would most likely enable you to approach the > > > > > capacity of the 100Mbps ethernet adapter, but for sustained throughput, it > > > > > may not come close. > > > > > > > > > > Some of the newer GHz x86 processors could probably tap a keg of whoopass > > > > > on crunching through the policy and you may approach 100Mbps and > > > > > beyond. You'd then need to bundle into that configuration some speedy > > > > > memory, etc. > > > > > > > > > > The newer processors from AMD and (when they get their act together) Intel > > > > > are capable of crunching through policy relatively well. Add that with > > > > > faster memory, etc (should DDR-SDRAM materialize), and your x86 firewall > > > > > will most likely smoke a Solaris/Sun-Based firewall. > > > > > > > > > > The real problem here is that you only have Linux or NT on which to run > > > > > CP. Since neither can handle packets as well as Solaris, and Nokia > > > > > selfishly clings to their IPSO/FreeBSD CP binary, we don't have a > > > > > more efficient OS to slap atop this newer, speedier hardware. > > > > > > > > > > Either we pressure Nokia/CP to release native *BSD binaries of their > > > > > product, or we wait for Nokia to "support" better and more capable > > > > > hardware. > > > > > > > > > > Peter Lukas > > > > > > > > > > On Tue, 6 Feb 2001, Craig Skelton wrote: > > > > > > > > > > > > > > > > > Couldn't agree more. The ultra60 is such a nice desktop :). I fully believe > > > > > > in single purpose firewalls. Why waste cpu cycles on any other task. > > > > > > > > > > > > Have you tried any gigbit adapters at fast ethernet speeds? (Or has anyone?) > > > > > > I'm wondering if that is not the *best* way to get maximum performance. > > > > > > > > > > > > Has anybody got any references for how disk speed affects fw1? I'm assuming > > > > > > that the faster the drive, the faster the logging. Does that increase fw1 > > > > > > performance at all? I would think that it would at least reduce the memory > > > > > > footprint a bit (If log entries are buffered in memory before being > > > > > > written.) Comments anyone? > > > > > > > > > > > > Cheers, > > > > > > Craig > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Peter Lukas" <[email protected]> > > > > > > To: "Craig Skelton" <[email protected]> > > > > > > Cc: "William Pope" <[email protected]>; <[email protected]>; > > > > > > <[email protected]> > > > > > > Sent: Tuesday, February 06, 2001 6:43 AM > > > > > > Subject: Re: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > THis is precisely what the Nokia folks realized in their devices. A > > > > > > > celeron with 64MB is going to do just as well when pusing policy as a Sun > > > > > > > Ultra60 (can you believe these are being used as firewalls? Nice graphics > > > > > > > on your "headless" firewall). > > > > > > > > > > > > > > PCI is PCI is PCI - for the most part at least. Some implementations > > > > > > > leave much to be desired (thanks 810). > > > > > > > > > > > > > > However, the SunQFE can ride the 66MHz 64-bit PCI bus if configured > > > > > > > properly. That'll provide some improvement over the 33MHz jalopy riding > > > > > > > the Nokia Intel MB. I believe the Micron folks implemented a Samauri > > > > > > > chipset (a pre-AGP concoction) which accomplished the same thing. On the > > > > > > > downside, the extremely high markup of the four Intel speedo's with a Sun > > > > > > > emblem on the Sun QFE is ludicrous. Looks like they fostered the Nokia > > > > > > > markup as well. > > > > > > > > > > > > > > I've had a relatively high failure rate on the Luna PCI adapter (see > > > > > > > previous threads of failing Luna PCI's with an "E.T." syndrome). The > > > > > > > point of the post was that the UltraSPARC can be much faster than the > > > > > > > Intel SA-110 on the LUNA PCI adapter. I'm not sure how the "Soft" LUNA is > > > > > > > licensed. This only benefits VPN users who were conned into buying SMP > > > > > > > powerhouses for their firewall device, though. > > > > > > > > > > > > > > -pl > > > > > > > > > > > > > > On Tue, 6 Feb 2001, Craig Skelton wrote: > > > > > > > > > > > > > > > Memory, bus speed, adapter speed, and base processor speed are the > > > > > > biggest > > > > > > > > factors in FW1 performance. > > > > > > > > > > > > > > > > The Luna VPN card will increase preformance only if you are implemeting > > > > > > a > > > > > > > > VPN. If you don't plan on using an IKE or IPSEC VPN then it won't do > > > > > > > > anything for you. (Although they are cool if you do.) > > > > > > > > > > > > > > > > One thing people missed is the bus speed of your machine. This is a big > > > > > > > > deal. You should examine the bus speed of the machine, and the ability > > > > > > of > > > > > > > > the ethernet adapters to utilize that top speed. Some docs suggest that > > > > > > > > gigabit cards will support slightly higher speeds even when run at Fast > > > > > > > > Ethernet speeds. Stands to reason that the higher the performace > > > > > > capability, > > > > > > > > the better the performance at nominal speeds. Obviously, if you already > > > > > > own > > > > > > > > the machine, then you might not get to choose, but a slow bus speed > > > > > > might > > > > > > > > mean that you are better off upgrading now (or that the second proc > > > > > > won't > > > > > > > > matter). > > > > > > > > > > > > > > > > For dual cpu info, you should check the doc at: > > > > > > > > > > > > > > http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.h > > > > > > > > tml > > > > > > > > "SMP (2-4 CPUs) has the most effect on Resource and VPN policies > > > > > > performance > > > > > > > > (up to 35-54% performance improvement). Make sure to run multiple > > > > > > instances > > > > > > > > of security servers (see the VPN-1 Tuning chapter). " > > > > > > > > > > > > > > > > If you run lots of security servers, or have many people viewing > > > > > > logfiles > > > > > > > > (nt clients being worse than command line warriors) then the dual cpu > > > > > > will > > > > > > > > really help. Especially if they are not too good at refining their > > > > > > > > selections. Obviously, the kernel modules are monolithic (most likely > > > > > > due to > > > > > > > > severe security issues in multi-threaded kernel mods). The security > > > > > > servers > > > > > > > > and other portions of vpn1/fw1 are not. (pbind etc. to take advantage.) > > > > > > You > > > > > > > > should run multiple instances to increase preformance. Multiple > > > > > > instances > > > > > > > > will ensure that the second cpu is truely utilized (at least on > > > > > > solaris.). I > > > > > > > > doubt there is much need for more than a dual box. > > > > > > > > > > > > > > > > As far as I am aware, there are no specific dual processor tuning points > > > > > > for > > > > > > > > fw-1 on solaris (if you hear of any, let me know.) You might want to > > > > > > take a > > > > > > > > look at sunsolve.sun.com for the doc id 1442 (white papers/ tech > > > > > > bulletins). > > > > > > > > > > > > > > > > Cheers, > > > > > > > > Craig > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Peter Lukas" <[email protected]> > > > > > > > > To: "William Pope" <[email protected]> > > > > > > > > Cc: <[email protected]> > > > > > > > > Sent: Monday, February 05, 2001 6:42 PM > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I did notice a version of the Luna VPN driver optimized for the > > > > > > dormant > > > > > > > > > CPU. Seeing as how a relatively fast UltraSPARC can effectively dust > > > > > > the > > > > > > > > > StrongARM on the Chrysalis-ITS, it may be worth a looksee for people > > > > > > who > > > > > > > > > ended up purchasing a multi-CPU system for their firewall... > > > > > > > > > > > > > > > > > > -peter > > > > > > > > > > > > > > > > > > On Mon, 5 Feb 2001, William Pope wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I do not think that Checkpoint has released a multithreaded version > > > > > > of > > > > > > > > > > Firewall-1 yet. I have had some luck using pbind & renice to force > > > > > > the > > > > > > > > > > Checkpoint services to the second processor leaving the first for > > > > > > the > > > > > > > > O/S. > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: [email protected] > > > > > > > > > > [mailto:[email protected]]On Behalf Of > > > > > > > > Vincent, > > > > > > > > > > Mike > > > > > > > > > > Sent: Monday, February 05, 2001 10:59 AM > > > > > > > > > > To: 'Damon Starkey '; ''Arie Gilboa' '; ''fw-1 Mailinglis' ' > > > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Checkpoint did release a multi-threaded device driver to accelerate > > > > > > > > > > encryption and decryption on SMP SPARC/Solaris and Windows NT > > > > > > systems. > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: Damon Starkey > > > > > > > > > > To: 'Arie Gilboa'; 'fw-1 Mailinglis' > > > > > > > > > > Sent: 2/5/01 10:15 AM > > > > > > > > > > Subject: RE: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > I was told no when I went through the Checkpoint Certification. It > > > > > > > > > > benefits from a good amount of memory. > > > > > > > > > > > > > > > > > > > > Damon Starkey > > > > > > > > > > Network Administrator > > > > > > > > > > Digital Access Corporation > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: Arie Gilboa [mailto:[email protected]] > > > > > > > > > > Sent: Monday, February 05, 2001 9:44 AM > > > > > > > > > > To: 'fw-1 Mailinglis' > > > > > > > > > > Subject: [FW1] FireWall-1 and Dual CPU machine > > > > > > > > > > > > > > > > > > > > Hello!, > > > > > > > > > > I would like to instal CP-2000 on Dual CPU Solaris machine. > > > > > > > > > > Does CP-2000 software know to use more than one CPU ?. Is there any > > > > > > > > > > special configuration which should be done ?. > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Arie Gilboa > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > > > ==== > > > > > > > > > > To unsubscribe from this mailing list, please see the > > > > > > instructions > > > > > > > > at > > > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > ==== > > > > > > > > > > To unsubscribe from this mailing list, please see the > > > > > > instructions > > > > > > > > at > > > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > ==== > > > > > > > > > To unsubscribe from this mailing list, please see the > > > > > > instructions at > > > > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > > > > > > > > > > > > > > ============================================================================ > > > > > > > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ================================================================================ > > > > > > To unsubscribe from this mailing list, please see the instructions at > > > > > > http://www.checkpoint.com/services/mailing.html > > > > > > ================================================================================ > > > > > > > > > > > > > > > > > > > > > > > > > > ================================================================================ > > > > > To unsubscribe from this mailing list, please see the instructions at > > > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================================================ > > > > > > > > > > > > > -- > > > > --Paul > > > > > > > > ================================================================================ > > > > To unsubscribe from this mailing list, please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================================================ > > > > > > > > > > > > > > > ================================================================================ > > > To unsubscribe from this mailing list, please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================================================ > > > > > > > -- > > --Paul > -- --Paul ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
