[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] HTTP security server woes on NG... frustration level r ising...
> No matter what the hardware, the HTTP security server _is_ a slouch :) Doh! =) > No you _definitely_ want more than just two processes. I do > not have a lot of experience with the HTTP security server, > but I would recommend a minimum of 4 or 8. I'll start out with 8 and move up, if needed, from there. > You will also need a _lot_ of memory in these boxes. > According to Dameon Welch-Abernathy (phoneboy), the security > server in 4.1 on Nokia handling just 1024 connections can > reach as much as 87 megs. This is supposed to be similar on > other platforms. Well, they each have 2GB of memory in them, and can go up to 8GB per box. It'll be interesting to see just how much memory is consumed... especially when we're at capacity. Buying more memory for these boxes and/or more firewalls would be doable if these the 280R's we have now can't handle the load. So that's a plus. > You already took care of the file descriptors issue, however > you may also want to increase the HTTP buffer size to help > with your performance problems. Already did, it was mentioned in performance tuning guide on Checkpoint's site. > You may want to refer to Dameons book "Essential CheckPoint > Firewall-1" as he covers some of these issues. I'm adding buying this book to my list of things to do tomorrow afternoon. =) > I personally feel that the CheckPoint security servers are > overused. In many cases, a dedicated web proxy would be a far > better choice. In your situation, it may be the only choice. Well, luckily about 1000 of those servers I mentioned _are_ web proxies. All of the outbound HTTP/HTTPS/FTP requests that our customers generate are proxied through a hierarchy of web caches at various strategic points throughout our network. Both caching and filtering services are provided for our customers by these devices and they work rather well. What I'm doing here is filtering inbound requests from the Internet to a group of (busy) HTTP servers. This is good because the number of HTTP requests coming into that group of servers isn't near what our customer base generates (after three tiers of caching servers we were still pulling down a peak of ~90Mbit/sec just before the off-season hit). This is bad because it could potentially leave us open to DoS attacks through resource starvation attacks against the firewall (i.e. a flood of bogus HTTP requests). It's all a matter of weighing the risks with the rewards. Reverse proxying (probably with a couple or three of the NetworkAppliance NetCache boxes) is something we're considering doing, so we could do the filtering on those, but there's nothing concrete about that actually being implemented just yet... so I'm stuck trying to get it to work with FireWall-1. =) Thanks, Abe -- Abe L. Getchell Security Engineer [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|