--On Thursday, July 21, 2005 09:32:44 AM -0400 "Marcus J. Ranum"

> You should know what your peak loads through the link are going to
> look like, and then you can start looking at which products claim they
> operate at that level. If you're really concerned you can either use
> one of two (equally effective) approaches to predict the performance
> you'll see:
> 1) test or research a credible performance test (not one done by a vendor
> lab) 2) use bob's algorithm - assume the product can actually handle 1/2
> of what its manufacturer claims it can handle

To add some real-life data to Marcus' common sense advice, be _very_
careful about what packet rate you need. FW-1 vendors love to talk bps, but
corner them on pps and their numbers are... less than stellar. And once you
exceeded their max pps rate, they behaved _very_ badly. At least that was
the case as of NG's release - it's possible things have improved in the

(Buy me a cosmo some time and I'll tell stories about dragging 64-byte
packet performance numbers out of Checkpoint while they kicked, whined,
screamed, and complained to my boss that I was being "unfair" for making
them give the same performance data all the other vendors did. By the way -
they came in dead last, on _any_ platform. Mmmmm.... slow _and_ insecure...)


firewall-wizards mailing list