firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Firewall scaling (Marcus J. Ranum)
2. Re: Firewall scaling (rgolodner@infratection.com)
3. Re: Firewall scaling (Ian Searle)
4. Re: Firewall scaling (Keith A. Glass)
5. Re: Firewall scaling (sin)
6. Re: Firewall scaling (jason@tacorp.com)
7. Re: Firewall scaling (K K)
8. Re: Firewall scaling (Pollock, Joseph)
----------------------------------------------------------------------
Message: 1
Date: Wed, 27 Jun 2007 12:19:15 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>,
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <6.2.0.14.2.20070627121635.04dffeb0@ranum.com>
Content-Type: text/plain; charset="us-ascii"
Sami Ghourabi wrote:
>I'm trying to convince management that a firewall that supports 32000
>concurrent sessions is enough for an organization that has a single WAN
>internet link, and about 60-100 users, but I'm lacking arguments.
Sami - you obviously work for retards. If they need to have arguments
from their technical staff regarding matters of technical obviousness,
they clearly don't understand the problem and aren't likely to ever
understand it.
My suggestion is that you tell them "Industry Expert Marcus Ranum
SAYS that for 100 concurrent users you need EXACTLY 3,560
concurrent session capability." It's based on a formula that I
would publish, except that, unfortunately, it was classified by the
IAEA.
mjr.
------------------------------
Message: 2
Date: Wed, 27 Jun 2007 05:49:13 +0000
From: rgolodner@infratection.com
Subject: Re: [fw-wiz] Firewall scaling
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <W2318813425247421182923353@webmail11>
Content-Type: text/plain; charset="us-ascii"
Sami, it also depends on what type of traffic you are jamming down theone wan link. If you have any type of mail server behind your firewall, you may move up to that 32000 ceiling real quick. Provide a little more information and this list will help you out. With that many users and not knowing traffic types or amounts it is hard to give you a decent rationale for your argument.
Richard Golodner
>-----Original Message-----
>From: Sami Ghourabi [mailto:sami.ghourabi@online-netsecurity.com]
>Sent: Saturday, June 23, 2007 07:40 AM
>To: firewall-wizards@listserv.cybertrust.com
>Subject: [fw-wiz] Firewall scaling
>
>Hi List,
>
>I'm trying to convince management that a firewall that supports 32000
>concurrent sessions is enough for an organization that has a single WAN
>internet link, and about 60-100 users, but I'm lacking arguments.
>
>What do you think about that statement? Are there any rational methods
>available for firewall performance scaling (concurrent sessions, new
>sessions per second, throughput, etc.)
>
>Any answer/resource appreciated.
>
>Best Regards.
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070627/89b0cb2c/attachment-0001.html
------------------------------
Message: 3
Date: Wed, 27 Jun 2007 11:09:33 -0700
From: Ian Searle <ians@potatoplanet.org>
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <C63FA2B0-CD66-4787-B27D-8D4D9C63E6AC@potatoplanet.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Um.... I used to work at a firewall company and with each new release
I would monitor the product's performance. We easily had 100-200
users behind this particular firewall, including a mail-server and I
NEVER saw the number of connections get anywhere near 32,000. 1/3 to
1/5 of that number is more like it.
It doesn't sound like you are dealing with very experienced people.
Perhaps the best you can do is gather anecdotal evidence (like this)
and use that?
----------
Ian Searle
ians@potatoplanet.org
P.S. There were times when I would send and email to "all@...."
asking everyone to surf the web all at the same time. Still, we
never hit anything like 32k connections.
On Jun 26, 2007, at Jun/26 - 10:49 PM, rgolodner@infratection.com wrote:
> Sami, it also depends on what type of traffic you are jamming
> down theone wan link. If you have any type of mail server behind
> your firewall, you may move up to that 32000 ceiling real quick.
> Provide a little more information and this list will help you out.
> With that many users and not knowing traffic types or amounts it is
> hard to give you a decent rationale for your argument.
>
> Richard Golodner
>
> >-----Original Message-----
> >From: Sami Ghourabi [mailto:sami.ghourabi@online-netsecurity.com]
> >Sent: Saturday, June 23, 2007 07:40 AM
> >To: firewall-wizards@listserv.cybertrust.com
> >Subject: [fw-wiz] Firewall scaling
> >
> >Hi List,
> >
> >I'm trying to convince management that a firewall that supports 32000
> >concurrent sessions is enough for an organization that has a
> single WAN
> >internet link, and about 60-100 users, but I'm lacking arguments.
> >
> >What do you think about that statement? Are there any rational
> methods
> >available for firewall performance scaling (concurrent sessions, new
> >sessions per second, throughput, etc.)
> >
> >Any answer/resource appreciated.
> >
> >Best Regards.
> >
> >_______________________________________________
> >firewall-wizards mailing list
> >firewall-wizards@listserv.icsalabs.com
> >https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 4
Date: Wed, 27 Jun 2007 18:31:58 +0000
From: "Keith A. Glass" <salgak@speakeasy.net>
Subject: Re: [fw-wiz] Firewall scaling
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>, "Firewall Wizards Security
Mailing List" <firewall-wizards@listserv.icsalabs.com>,
firewall-wizards@listserv.icsalabs.com
Message-ID: <W6894232679233831182969118@webmail3>
Content-Type: text/plain; charset="us-ascii"
And if manglement is THAT clueless, you'll need that big a box to handle all the sessions from the trojans, spyware, and other crap that manglement and their kid brother download onto the company boxes. . .
My rule: there's no such thing as too big a firewall. . .
And for smaller companies, if you can dedicate part of it to viruses, malware, and email de-crapping, all the better. You don't have the manpower to do the jobs right: let the hardware do it for you . . . .
> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr@ranum.com]
> Sent: Wednesday, June 27, 2007 04:19 PM
> To: 'Firewall Wizards Security Mailing List',
> firewall-wizards@listserv.icsalabs.com
> Subject: Re: [fw-wiz] Firewall scaling
>
> Sami Ghourabi wrote:
> >I'm trying to convince management that a firewall that supports 32000
> >concurrent sessions is enough for an organization that has a single WAN
> >internet link, and about 60-100 users, but I'm lacking arguments.
>
>
> Sami - you obviously work for retards. If they need to have arguments
> from their technical staff regarding matters of technical obviousness,
> they clearly don't understand the problem and aren't likely to ever
> understand it.
>
> My suggestion is that you tell them "Industry Expert Marcus Ranum
> SAYS that for 100 concurrent users you need EXACTLY 3,560
> concurrent session capability." It's based on a formula that I
> would publish, except that, unfortunately, it was classified by the
> IAEA.
>
> mjr.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
------------------------------
Message: 5
Date: Wed, 27 Jun 2007 12:57:41 +0300
From: sin <sin@pvs.ro>
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <46823495.5090905@pvs.ro>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sami Ghourabi wrote:
> Hi List,
>
> I'm trying to convince management that a firewall that supports 32000
> concurrent sessions is enough for an organization that has a single WAN
> internet link, and about 60-100 users, but I'm lacking arguments.
it depends very much what the traffic pattern for those users is.
it's not that hard to generate 32k connections with 100 pcs :)
> What do you think about that statement? Are there any rational methods
> available for firewall performance scaling (concurrent sessions, new
> sessions per second, throughput, etc.)
>
> Any answer/resource appreciated.
>
------------------------------
Message: 6
Date: Wed, 27 Jun 2007 14:54:18 -0400 (EDT)
From: jason@tacorp.com
Subject: Re: [fw-wiz] Firewall scaling
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20070627145323.Q62022@phoenix.cnwr.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> it depends very much what the traffic pattern for those users is.
> it's not that hard to generate 32k connections with 100 pcs :)
Right, especially if you have dorms full of college students running
bittorrent.
Jason Mishka - "I'm like a Subway in a land of McDonalds..."
------------------------------
Message: 7
Date: Wed, 27 Jun 2007 13:54:41 -0500
From: "K K" <kkadow@gmail.com>
Subject: Re: [fw-wiz] Firewall scaling
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<dc718edc0706271154r24ed13dfv1cee9574a9474285@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I say you need two, as a failover cluster.
On 6/23/07, Sami Ghourabi <sami.ghourabi@online-netsecurity.com> wrote:
> I'm trying to convince management that a firewall that supports 32000
> concurrent sessions is enough for an organization that has a single WAN
> internet link, and about 60-100 users, but I'm lacking arguments.
I've not heard of a commercial firewall which only supports 32K
concurrent sessions, is this some sort of weird limited license cap
imposed by the vendor?
Ancient OpenBSD 'pf' running on a i386 with 128MB was able to do
upwards of 50,000 states back in the v3.6 days.
Kevin
------------------------------
Message: 8
Date: Wed, 27 Jun 2007 17:09:45 -0700
From: "Pollock, Joseph" <PollockJ@evergreen.edu>
Subject: Re: [fw-wiz] Firewall scaling
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <0698AD8E0930A44E90274067B7018D35C30DC1@oak.evergreen.edu>
Content-Type: text/plain; charset="us-ascii"
I want to second this comment. With p2p software running on clients in
our dorms, I've seen 3500+ connections from individual computers. And
the social networking sites are almost as bad, loading data from dozens
or hundreds of sites on a single page. I just saw a report that some of
them generate several hundred DNS queries from a single page load. We
have the data flow restricted, but the connections still get
established.
If you're a business site, though, you likely have more control over the
local desktop.
Joe Pollock
Network Services
-----Original Message-----
>
> it depends very much what the traffic pattern for those users is.
> it's not that hard to generate 32k connections with 100 pcs :)
Right, especially if you have dorms full of college students running
bittorrent.
Jason Mishka - "I'm like a Subway in a land of McDonalds..."
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 14, Issue 15
************************************************
No comments:
Post a Comment