[K12OSN] Firewall

[Petre Scheie]

Terrell Prudé, Jr. wrote:

> If you're talking about 500-1000 "regular", unencrypted TCP connections, 
> then virtually any Pentium II box with, say, 128MB DRAM will be somewhat 
> overkill; a 32MB 486DX-33 will do the job.  If, on the other hand, you 
> mean 500-1000 VPN connections, then you'd better get the biggest, 
> baddest, beefiest CPUs that you can possibly afford, and preferably more 
> than one physical box like that.  Personally, I'd be looking into 
> hardware crypto acceleration at that point.
> 
Actually, hardware crypto accelerators don't work as well as a fast Intel CPU. 
Our parent corporation pushed a software-based session management package for an 
internal web-based app on us; the point was to create a virtual 'session' of 
sorts for security reasons.  We suggested instead just setting up Apache to 
proxy the users' connections to the backend.  But they said they had tried that, 
including using hardware-based SSL encryption accelerators in some 500Mhz Sun 
boxes, and the performance had been awful and unable to scale past about 30 
users.  However, according to a study called "SSL Accelerator Performance: 
Determining metrics and limiting factors" by SimpleAccess (I can't find the 
document on the web anywhere, but I have a printed copy that I could scan if 
anyone is interested), while CPU speed often is a minor factor in performance, 
especially in Unix contexts, encryption is one are where CPU speed DOES matter. 
  We put in a couple of dual-CPU 1.4 Ghz boxes (the fastest available at the 
time) and are able to proxy well over 100 encrypted user sessions per box, and 
they never break a sweat. We have two boxes just for redundancy, since they're 
cheap. We got rid of corporate's software-based solution (which was a pain to 
configure and manage) and we've never had any problems since.

All of which is to say that if you are going to do a bunch of VPN sessions, I 
think you'll have more success with faster CPUs than with hardware-based 
accelerators.

Petre