Join 3,552 readers in helping fund MetaFilter (Hide)


Understanding throughput..the right way..
October 16, 2008 6:57 AM   Subscribe

Firewall and VPN throughput: Please help me understand the real world difference ?

I'm working on examining different firewall's to replace an existing Nokia IP 380.

I see different throughput numbers being thrown around by different vendors and it gets rather confusing for me.

Take for example, a FW throughput as advertised at 1 Gbps and VPN throughput as advertised at 600 Mbps.

I only have 1 firewall and about 50 IPSEC VPNs; personally,it doesn't make sense to buy a firewall that can handle such throughput if the line coming into my office is just 1.5 Mbps ?

All VPN's at the site have T1's and the main site has a T1, so what's the point of getting a firewall that encrypts/decrypts traffic at 600 Mbps ?

And VPN throughput is combined into the overall FW throughput ?

I took a look at the device utilization of the firewall between yesterday and today and got this -- i'm really uncertain how to analyze that and correctly size the new FW ?

On average i believe the current FW is running about 40 Mbps..

I know i'm not understanding something correctly, so please someone please school me...
posted by hboogz to Technology (9 answers total) 1 user marked this as a favorite
 
In the event the image link doesn't work, try this
posted by hboogz at 6:59 AM on October 16, 2008


I think it depends on how you have the firewall set up. If you have your router (which may be built into the firewall) configured so that local traffic -- stuff not going to or coming from the Internet -- isn't examined or subject to rules, then the firewall's throughput doesn't matter substantially. It just needs to be higher than the fastest internet connection you'll probably ever have in its lifetime. Unless you're planning on relocating to Sweden, 1Gb is way more than you'll need.

However if you have local traffic running through the firewall too (which you might, to stop the propagation of worms and other crap), then it becomes a much bigger issue. Ten clients each on 100Mb lines could theoretically saturate a firewall with an overall throughput of 1Gb/s.

If your current firewall reports average throughput of 40Mb/s, and your internet connection is only 1.5Mb, then it's definitely screening local traffic as well as border traffic.

I'm a little unclear what you mean when you're describing the setup of VPNs. You mention that you have 50 of them each with a T1; are those all at one location, and presumably serviced by the same firewall box? Or are those your remote offices, where each office has it's own T1 and then they're all tied together via an IPSEC VPN?

If you have 50 T1 lines coming into one location (which would be...odd; why wouldn't you bond them together as T3s or something) and want the firewall to sit across all of them, monitoring only border traffic, then you are talking about 75Mb/s. But you may run into some configuration issues; I'm not sure if the quoted throughput for most firewalls screening VPN traffic (the 600Mb number you mentioned) scales linearly to many concurrent VPN sessions. It might be able to handle 1 VPN connection at 600Mb/s, but not necessarily 50 at 12Mb each.

Hope that's helpful.
posted by Kadin2048 at 7:38 AM on October 16, 2008


A lot of these boxes, especially Nokia's, are targeted at banks that might have the actual bandwidth for those numbers to matter. For your size network, nearly anything will be fine. You'd save a ton of money without seeing any difference in performance using a cheaper box than a 380 or equivalent. Those are overkill even for a T3 with 200 tunnels.

In any case the two numbers quoted (1Gb, 600Mb/s VPN) reference different things. The first is the NIC speed, 1Gb being standard now, and effectively meaningless these days (nearly all software firewalls do "wire-speed" inspection now). The other number means it can perform crypto operations on roughly that much data before hosing the system.

You want that second number to be high for two reasons: 1) a lot of small packets; or 2) sustained large data transfers. Both are likely only occasional events, but when they happen they affect everything else.

Your throughput graphs are misleading because you're measuring what's going through your firewall and not your circuit utilization, which is far more important. If you're seeing that much through your firewall, with only a T1 to the internet, you need a bigger line, not a bigger firewall.
posted by jma at 9:25 AM on October 16, 2008


Kadin -

"Or are those your remote offices, where each office has it's own T1 and then they're all tied together via an IPSEC VPN?"

That's what I have setup..

jma,

The FW's I've looking at are the nokia IP 290 and the Juniper SSG 350. Now, the IP 290 seems to do 1.5 Gbps FW throughput and 1 Gbps VPN throughput.

I wasn't referring to the interface speed.

My question really is, in what type of scenario would 1 Gbps VPN throughput be necessary if all my remote sites have a 1.5 T1 and HQ has a 1.5 T1. -- i'm just not understanding that.

If the interface is 1 Gbps and the circuit coming in, for arguments sake is a bonded T @ 3.0 Mbps, i can then terminate thousands of tunnels from thousands of sites because i have a severe bottleneck at the cloud and, i guess, at the interface ?
posted by hboogz at 11:05 AM on October 16, 2008


I think the scenario that number would be useful for is if you have a bazillion branch offices each with a T1, and the firewall is sitting on a fiber link directly to the local exchange hotel. Or you have several corporate campuses with fast links between them. Etc.

Or maybe it's just that Moore's law gave them hardware capable of that much encryption as a side effect of its ability to do something else it needs (PKC operations?), so why not advertise the number?
posted by hattifattener at 11:39 AM on October 16, 2008


So, essentially FW throughput is kind of a meaningless arbitrary number thrown out there for sales purposes ?

For example, i've seen a sonicwall ad indicating one of its FW's does 600 Mbps which is the fastest in its competing price bracket -- but what the hell is the point ?? I'm pretty certain managers are making purchasing decisions based on the "higher" throughput --- but if that's just theoretical and really not ever ( at least for the next 10 years ) ever going to be practical -- then what's the point of having 3-4 different levels of firewall grades ?

The biggest probably most important thing between the firewalls as you get higher then would be the hardware, the more throughput would be an unnecessary metric to look at.

What's the fastest www connection can a company get ?

How fast is Private Metro / MAN. OC 48 ?

That's what i'm not understanding, or perhaps, not wanting to accept.
posted by hboogz at 11:56 AM on October 16, 2008


An OC-12 will get you 600Mbps. A firewall box at a colo near an interchange/big peering point is probably on a 10Gbps ethernet, and the interchange will have many links going to other places, not just one. An OC-768 will get you ~40Gbps.
posted by hattifattener at 12:24 PM on October 16, 2008


jma,

could you explain this in detail

"Your throughput graphs are misleading because you're measuring what's going through your firewall and not your circuit utilization, which is far more important. If you're seeing that much through your firewall, with only a T1 to the internet, you need a bigger line, not a bigger firewall."
posted by hboogz at 12:47 PM on October 16, 2008



could you anyone explain why this is the case based on my image ?

".If you're seeing that much through your firewall, with only a T1 to the internet, you need a bigger line, not a bigger firewall."
posted by hboogz at 12:49 PM on October 16, 2008


« Older Where can I find some slippers...   |  What's the best (free) softwar... Newer »
This thread is closed to new comments.