[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Firewall




Terrell Prudé, Jr. wrote:


If you're talking about 500-1000 "regular", unencrypted TCP connections, then virtually any Pentium II box with, say, 128MB DRAM will be somewhat overkill; a 32MB 486DX-33 will do the job. If, on the other hand, you mean 500-1000 VPN connections, then you'd better get the biggest, baddest, beefiest CPUs that you can possibly afford, and preferably more than one physical box like that. Personally, I'd be looking into hardware crypto acceleration at that point.

Actually, hardware crypto accelerators don't work as well as a fast Intel CPU. Our parent corporation pushed a software-based session management package for an internal web-based app on us; the point was to create a virtual 'session' of sorts for security reasons. We suggested instead just setting up Apache to proxy the users' connections to the backend. But they said they had tried that, including using hardware-based SSL encryption accelerators in some 500Mhz Sun boxes, and the performance had been awful and unable to scale past about 30 users. However, according to a study called "SSL Accelerator Performance: Determining metrics and limiting factors" by SimpleAccess (I can't find the document on the web anywhere, but I have a printed copy that I could scan if anyone is interested), while CPU speed often is a minor factor in performance, especially in Unix contexts, encryption is one are where CPU speed DOES matter. We put in a couple of dual-CPU 1.4 Ghz boxes (the fastest available at the time) and are able to proxy well over 100 encrypted user sessions per box, and they never break a sweat. We have two boxes just for redundancy, since they're cheap. We got rid of corporate's software-based solution (which was a pain to configure and manage) and we've never had any problems since.

All of which is to say that if you are going to do a bunch of VPN sessions, I think you'll have more success with faster CPUs than with hardware-based accelerators.

Petre


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]