> PCWeek just had a decent article about security. A firewall machine should be
> spec'd depending on the amount of traffic. Firewalls inspect each packet and
> apply the inspection to a ruleset. If you have a lot of traffic, that could
> quickly bog down a machine.
The number of rulesets will also play a role in sizing a machine.
Performance will be much different on a firewall that has to compare each
packet against 100 rules before coming to that final 'drop all from all'
rule compared to a ruleset with 2 rules. If you have (or will have) a
complex network infrastructure encompassing many subnets, domains,
allowed services to/from specific machines, and special address
translation rules, you may notice a performance degredation. Compound
this with a lot of traffic and you may run into problems if you sized too
small.
My favorite answer to this type of question is: "Plan for the exception,
not the rule." Meaning, don't capacity plan based on normal usage
patterns. If budget allows, size for the worst scenario that you'd like
to be able to withstand while considering the possibilities of adding
incoming bandwidth, requiring more rules, etc.
// chris
[EMAIL PROTECTED]
*************************************************************************
Chris Tobkin [EMAIL PROTECTED]
Java and Web Services - Academic and Distributed Computing Services - UMN
Shep. Labs 190 Minneapolis, MN 55455
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"Nothing great was ever achieved without enthusiasm."
- Ralph Waldo Emerson, poet, writer, and philosopher
*************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
