| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
> No matter what the hardware, the HTTP security server _is_ a slouch :)
Doh! =)
> No you _definitely_ want more than just two processes. I do
> not have a lot of experience with the HTTP security server,
> but I would recommend a minimum of 4 or 8.
I'll start out with 8 and move up, if needed, from there.
> You will also need a _lot_ of memory in these boxes.
> According to Dameon Welch-Abernathy (phoneboy), the security
> server in 4.1 on Nokia handling just 1024 connections can
> reach as much as 87 megs. This is supposed to be similar on
> other platforms.
Well, they each have 2GB of memory in them, and can go up to 8GB
per box. It'll be interesting to see just how much memory is
consumed... especially when we're at capacity. Buying more memory for
these boxes and/or more firewalls would be doable if these the 280R's we
have now can't handle the load. So that's a plus.
> You already took care of the file descriptors issue, however
> you may also want to increase the HTTP buffer size to help
> with your performance problems.
Already did, it was mentioned in performance tuning guide on
Checkpoint's site.
> You may want to refer to Dameons book "Essential CheckPoint
> Firewall-1" as he covers some of these issues.
I'm adding buying this book to my list of things to do tomorrow
afternoon. =)
> I personally feel that the CheckPoint security servers are
> overused. In many cases, a dedicated web proxy would be a far
> better choice. In your situation, it may be the only choice.
Well, luckily about 1000 of those servers I mentioned _are_ web
proxies. All of the outbound HTTP/HTTPS/FTP requests that our customers
generate are proxied through a hierarchy of web caches at various
strategic points throughout our network. Both caching and filtering
services are provided for our customers by these devices and they work
rather well. What I'm doing here is filtering inbound requests from the
Internet to a group of (busy) HTTP servers.
This is good because the number of HTTP requests coming into
that group of servers isn't near what our customer base generates (after
three tiers of caching servers we were still pulling down a peak of
~90Mbit/sec just before the off-season hit). This is bad because it
could potentially leave us open to DoS attacks through resource
starvation attacks against the firewall (i.e. a flood of bogus HTTP
requests). It's all a matter of weighing the risks with the rewards.
Reverse proxying (probably with a couple or three of the
NetworkAppliance NetCache boxes) is something we're considering doing,
so we could do the filtering on those, but there's nothing concrete
about that actually being implemented just yet... so I'm stuck trying to
get it to work with FireWall-1. =)
Thanks,
Abe
--
Abe L. Getchell
Security Engineer
[email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
