[fw-wiz] Firewall Sizing? - Firewalls

This is a discussion on [fw-wiz] Firewall Sizing? - Firewalls ; How do you go about sizing a firewall? I ask both generally and specifically. Right now I need to replace an existing ISA server, and top of the list is a Secure Computing Sidewinder (those Palo Alto boxes look nice ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [fw-wiz] Firewall Sizing?

  1. [fw-wiz] Firewall Sizing?

    How do you go about sizing a firewall?

    I ask both generally and specifically. Right now I need to replace
    an existing ISA server, and top of the list is a Secure Computing
    Sidewinder (those Palo Alto boxes look nice but they're just too much
    $$$ to go beyond looking at the features on the website :-)).

    Anyway, as with most vendors there's a number of models and a number
    of specs that vary as you move up the range - throughput, max
    sessions, recommended users etc.

    In our case I suspect we're a bit of an oddity, as we have a fat
    internet pipe and a few hundred users, but not all have full internet
    access and there's very little in the way of concurrent access (I
    think the most concurrent sessions I've ever seen was around 3000 and
    that depends on the vendors idea of a session).

    Because of this, with most vendors I'm thinking of our situation and
    on paper 9/10 times the low end units appear suitable, the vendors
    seem to simply hear "few hundred users" and "fat internet pipe" and
    try and persuade me I need the higher end models.

    What puts the most load on a modern firewall such as a Sidewinder, is
    it sheer throughput, is it keeping track of X sessions to/from Y
    clients and so on?

    I'd appreciate any thoughts/input on how you go about sizing/speccing
    these things if you don't have the budget to simply buy a the mid to
    top range unit.

    cheers,
    Paul
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] Firewall Sizing?

    Hello,

    On Thu, Jun 26, 2008 at 06:58:48PM +0100, Paul Hutchings wrote:

    > In our case I suspect we're a bit of an oddity, as we have a fat internet
    > pipe and a few hundred users, but not all have full internet access and
    > there's very little in the way of concurrent access (I think the most
    > concurrent sessions I've ever seen was around 3000 and that depends on the
    > vendors idea of a session).


    If you are specifically looking into Sidewinder^H^H^H^H^H^H^H^H^H^H
    Secure Firewall, then you need to take the license model into
    account. Every box below the 11xx limits the number of IP addresses
    on non-internet burbs. This is a hard limit, you cannot upgrade the
    license besides by buying a bigger box. They offer reasonable trade
    in deals, but because of a "performance guarantee" policy they
    refuse to put more load on a system then they designed it for.

    So in case of Secure Computing I would really ask the vendor. With
    us they have always been quite straight and never recommended the
    bigger box just because of the better deal for them.

    > What puts the most load on a modern firewall such as a Sidewinder, is it
    > sheer throughput, is it keeping track of X sessions to/from Y clients and
    > so on?
    >
    > I'd appreciate any thoughts/input on how you go about sizing/speccing these
    > things if you don't have the budget to simply buy a the mid to top range
    > unit.


    Look up which unit is the smallest that satisfies your internal/DMZ
    IP address requirements. Then ask a sales engineer of Secure Computing
    for throughput figures of that particular box in various situations.
    Then use your thumb ;-)
    At least that's what we did. We use a pair of 210Ds to protect hosted
    Windows servers in our datacenter.

    Kind regards,
    Patrick M. Hausen
    --
    punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
    Tel. 0721 9109 0 * Fax 0721 9109 100
    info@punkt.de http://www.punkt.de
    Gf: Jürgen Egeling AG Mannheim 108285
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] Firewall Sizing?


    Paul,

    This is an incredibly complex question, that I don't think has an easy answer. Major factors (in *generally* desdending order of importance):

    1. # concurrent sessions (this is more and more important the more your firewall does: layer 3, stateful, packet inspection, app proxy, anti-malware, vpn endpoints, ssl endpoints, etc.)
    2. bandwidth.
    3. # rules.
    4. complexity of rules.
    5. depth of the firewall--e.g. is it just layer 3 or is it doing application proxying as well? Does it also scan for malware? Even if it is only layer 3 is it stateful, is it doing packet inspection, is it doing protocol sanity checking?
    6. is it doing encryption, e.g. a VPN endpoint. 3DES takes a lot more cpu than AES. etc.
    7. you should match the hardware it is running on to the depth of the firewall; e.g. if you are doing app proxying, virus checking, and stateful packet inspection, then you should have multiple CPUs. If your rule base is large and stateful, and/or you are using several services such as VPN and app proxy, then you will need more RAM. Etc.
    8. is it doing a lot of routing as well?
    9. Is the hardware dedicated/accelerated in any way--e.g. using ASICS for ROSM, thus making extensive routing less of an issue (e.g. for a WAN firewall with hundreds of networks attached).

    My best advice to you is to get a unit and test it in a lab under worst case conditions (take what you have and double it--# connections, # rules, etc.). In lieu of that--over-purchase. You don't want to do a major upgrade and then have to do it again due to performance issues.

    --p

    -----Original Message-----
    From: firewall-wizards-bounces@listserv.icsalabs.com
    [mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of Paul
    Hutchings
    Sent: Thursday, June 26, 2008 1:59 PM
    To: Firewall Wizards Security Mailing List
    Subject: [fw-wiz] Firewall Sizing?


    How do you go about sizing a firewall?

    I ask both generally and specifically. Right now I need to replace
    an existing ISA server, and top of the list is a Secure Computing
    Sidewinder (those Palo Alto boxes look nice but they're just too much
    $$$ to go beyond looking at the features on the website :-)).

    Anyway, as with most vendors there's a number of models and a number
    of specs that vary as you move up the range - throughput, max
    sessions, recommended users etc.

    In our case I suspect we're a bit of an oddity, as we have a fat
    internet pipe and a few hundred users, but not all have full internet
    access and there's very little in the way of concurrent access (I
    think the most concurrent sessions I've ever seen was around 3000 and
    that depends on the vendors idea of a session).

    Because of this, with most vendors I'm thinking of our situation and
    on paper 9/10 times the low end units appear suitable, the vendors
    seem to simply hear "few hundred users" and "fat internet pipe" and
    try and persuade me I need the higher end models.

    What puts the most load on a modern firewall such as a Sidewinder, is
    it sheer throughput, is it keeping track of X sessions to/from Y
    clients and so on?

    I'd appreciate any thoughts/input on how you go about sizing/speccing
    these things if you don't have the budget to simply buy a the mid to
    top range unit.

    cheers,
    Paul
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread