On Sun, 19 Mar 2000, Gregory Maxwell wrote:
> On Sun, 19 Mar 2000, Lars Marowsky-Bree wrote:
> > On 2000-03-17T17:50:56,
> > "Christopher E. Brown" <[EMAIL PROTECTED]> said:
> >
> > > Sure, it protects you from SYN attacks, but it is a stateful
> > > device, and evil.
> >
> > Stateful filtering is generally considered a good thing.
>
> Stateful is evil, begon spawn of the devil!
>
> Seriously, though. Statefulness is the enemy of performance an
> realiability.
Aha, someone understands.
The main problem (besides the fact this thing is basicly a
proxy) is the single ingress/egress point required.
The servers behind this box *must* have a single ingress and
egress point via the PIX, multipath access to the server network
breaks the whole model. Should the 1 PIX get overloaded, and or
fubarred it affects *ALL* traffic to the cluster. Even if you have an
automagic swap out to another PIX, or bypass it all sessions active at
the time *die* (the sessions *are not* connected to your servers, they
are connected to the PIX, and the PIX connects to the servers.
Transparent router or filter devices that do stateful
*monitoring* (such as keeping track of the sessions) are fine, the PIX
is not this. It does not monitor the state of things, it sets the
state of things, and takes that state with it if/when it dies.
Figure the minimum number of high end servers you need in a grouping,
based on shared data sets. (Boxes with shared data sets will prolly
need high speed interconnects direct server to server)
Figure the number and rate of connections for the entire cluster.
Compare this data to the 1 little PIX that breaks the entire grouping
should it fail.
I won't directly question the marketing claims as far as
connections/sec rates, but it is amusing the remember the (restricted)
64,000 simultaneous sessions, (unrestricted) 128,000 simultaneous
sessions, ands the 6579 connections per second listed for the 515 are
on a 200Mhz MIPS cpu. This thing is supposed to be doing stateful NAT
and proxy connections+NAT...
---
As folks might have suspected, not much survives except roaches,
and they don't carry large enough packets fast enough...
--About the Internet and nuclear war.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
