Ronnie,
I hate to be the voice of doom, but 10% overhead is a lovely dream
compared to the ugly reality of more than 80% overhead. Throughput will
go WAY down when you start encrypting traffic. This is not a slam on
VPN-1, which is an excellent product, but just the cold reality of
encryption, which is very processor-intensive by nature. The more
secure the encryption method, the worse your throughput will be (e.g.
3DES is 1/2 the throughput of regular DES). Here is VPN-specific
benchmark data from Check Point:
http://www.checkpoint.com/products/vpn1/vpn1perfdata.html#Throughput
The good news is that there are some things you can do to speed things
back up. The most common is to install a hardware accelerator card,
which can dramatically increase VPN throughput by offloading the
encryption task. Or, if you happen to have a multi-processor box, you
can use the additional processors as pseudo hardware accelerators
(requires the new VPNx driver in SP3). If hardware doesn't give enough
of a boost, or if you also are concerned with reliability and downtime
prevention, you can also cluster multiple VPN-1 gateways together and
load balance them with RainWall. Clustering can be used either with or
without a hardware accelerator to scale up VPN performance. For more
info, read this white paper:
http://www.rainfinity.com/us/eng/downloads/whitepapers/wp_increasing_fw_
capacity.pdf
If you will have mixed VPN and non-VPN traffic, your results will be
somewhere in between. If only 10% of your traffic is SecuRemote, and
the rest is regular browsing and email, the impact will not be as large
as if 60% of your traffic is SecuRemote.
HTH,
Mark L. Decker
Rainfinity
[EMAIL PROTECTED]
www.rainfinity.com
(408) 382-4870
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Ronnie Clark
> Sent: Wednesday, February 21, 2001 11:48 AM
> To: Fw-1-Mailinglist (E-mail)
> Subject: [FW1] VPN Performance Load
>
>
>
> Hello All,
>
> Does anyone happen to have any stats on how much of a
> performance hit the
> VPN has on Checkpoint Firewall-1? Like is it a 10% hit on
> performance? etc.
>
>
> Thank you,
> Ronnie Clark
>
>
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
