Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] VPN Performance Load

To: "Ronnie Clark" <[email protected]>, "Fw-1-Mailinglist (E-mail)" <[email protected]>
Subject: RE: [FW1] VPN Performance Load
From: "Mark Decker" <[email protected]>
Date: Wed, 21 Feb 2001 16:15:20 -0800
Importance: Normal
In-reply-to: <EE037FA03845D41190F400508B2D851135CDA4@SWS_EXCG6>
Reply-to: <[email protected]>
Sender: [email protected]

Ronnie,

I hate to be the voice of doom, but 10% overhead is a lovely dream
compared to the ugly reality of more than 80% overhead.  Throughput will
go WAY down when you start encrypting traffic.  This is not a slam on
VPN-1, which is an excellent product, but just the cold reality of
encryption, which is very processor-intensive by nature.  The more
secure the encryption method, the worse your throughput will be (e.g.
3DES is 1/2 the throughput of regular DES).  Here is VPN-specific
benchmark data from Check Point:

http://www.checkpoint.com/products/vpn1/vpn1perfdata.html#Throughput

The good news is that there are some things you can do to speed things
back up.  The most common is to install a hardware accelerator card,
which can dramatically increase VPN throughput by offloading the
encryption task.  Or, if you happen to have a multi-processor box, you
can use the additional processors as pseudo hardware accelerators
(requires the new VPNx driver in SP3).  If hardware doesn't give enough
of a boost, or if you also are concerned with reliability and downtime
prevention, you can also cluster multiple VPN-1 gateways together and
load balance them with RainWall.  Clustering can be used either with or
without a hardware accelerator to scale up VPN performance.  For more
info, read this white paper:

http://www.rainfinity.com/us/eng/downloads/whitepapers/wp_increasing_fw_
capacity.pdf

If you will have mixed VPN and non-VPN traffic, your results will be
somewhere in between.  If only 10% of your traffic is SecuRemote, and
the rest is regular browsing and email, the impact will not be as large
as if 60% of your traffic is SecuRemote.

HTH,

Mark L. Decker
Rainfinity
[email protected]
www.rainfinity.com> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> Ronnie Clark
> Sent: Wednesday, February 21, 2001 11:48 AM
> To: Fw-1-Mailinglist (E-mail)
> Subject: [FW1] VPN Performance Load
>
>
>
> Hello All,
>
>   Does anyone happen to have any stats on how much of a
> performance hit the
> VPN has on Checkpoint Firewall-1? Like is it a 10% hit on
> performance? etc.
>
>
> Thank you,
> Ronnie Clark
>
>
>
>
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] VPN Performance Load
  - From: Ronnie Clark <[email protected]>

Prev by Date: [FW1] network topology -- please look at this and tell me if it's possible
Next by Date: RE: [FW1] network topology -- please look at this and tell me if it's possible
Previous by thread: [FW1] VPN Performance Load
Next by thread: [FW1] Reinstalling a nokia 440
Index(es):
- Date
- Thread