Firewall technical indicatation - concurrent connection number / throughput
Key indicator of firewall - concurrent connection
The concurrent connection refers to the processing capability of the firewall or proxy server on its business information. It is the maximum number of point-to-point connections that the firewall can handle simultaneously. It reflects the access control capability and connection status tracking capabilities of the firewall device for multiple connections. The size of the parameters directly affects the maximum number of information you can support by the firewall.
The concurrent connection is an important indicator for measuring firewall performance. In the current list of common firewall equipment, you can see that from 500, 1000 concurrent connections from low-end equipment, there are several quantities of differences from tens of thousands, hundreds of thousands of concurrent connections from low-end equipment. So, what is the concept of concurrent connections? What is its size affects the daily use of the user? To understand the number of concurrent connections, first you need to understand a concept, that is, "session." This "session" is not our usual conversation, but you can use usually to understand, two people are talking, you, I have a question and answer, we call it a dialogue, or call the session. Similarly, when we work with the computer, open a window or a web page, we can also call it "session", extend it into a local area, all users want to access the Internet through the firewall, to open a lot of windows or web pages Send (ie, a session), then this firewall, the maximum number of sessions that can be processed is "concurrent connections".
Like the router's routing, the route information is the same. There is also a table in the firewall. We call it concurrent connection table, which is where the firewall is used to store concurrent connection information, which can dynamically allocate the memory space after the firewall system is started. The size is the maximum number of concurrent connections that the firewall can support. The big concurrent connection table can increase the maximum number of concurrent connections of the firewall, allowing the firewall to support more customer terminals. Although it seems that the number of concurrent connections such as firewalls seems to be, the better. But at the same time, excessive concurrent connection tables will also bring a certain negative impact:
1. The increase in concurrent connections means consumption for system memory resources
Take 300B calculation with each concurrent connection table item, 1000 concurrent connections will occupy 300B × 1000 × 8bit / b ≈ 2.3MB memory space, 10,000 concurrent connections will take 23MB memory space, 100,000 concurrent connections will occupy 230MB memory space, And if you really try to achieve 10,000 concurrent connections, this product needs to provide 2.24GB memory space!
2. The increase in concurrent connections should be fully considered for the processing power of the CPU.
The main task of the CPU is to forward traffic on the network from one network segment to another network segment, and perform license check, traffic statistics and access audits in accordance with certain access control policies during forwarding. Operation, which requires the firewall to make a constant read and write operation on the corresponding entries in the concurrent connection table. If you rose the concurrent connection table of the CPU, it is bound to affect the process delay of the firewall to the connection request, resulting in some connection timeout, so that more connection packets are returned, which in turn leads to more connections Timeout, finally form an avalanche effect, causing the entire firewall system to crash.
3. The actual carrying capacity of the physical link will seriously affect the firewall to play the processing power of the massive concurrent connection.
Although many firewalls offer 10/100 / 1000Mbps network interface, because the firewall is usually deployed at the Internet exit, there is always a bottleneck link on the path in the middle of the client PC and the destination resources - The bottleneck link may be 2Mbps line, or it may be a low speed link of 512kbps or even 64kbps. These crowded low-speed links cannot carry too much concurrent connection, so even the firewall can support large-scale concurrent access connections, it is impossible to exert its original performance. In view of this, we should choose the appropriate concurrent connection table according to the specific situation of the network environment and individual internet habits. Because different sizes of networks produce different concurrent connections, users are accustomed to how network services and how to use these services, the same also produce different concurrent connection requirements. Firewall devices for high concurrent connections typically need customers invest more devices because the increasing number of concurrent connections involves many factors such as data structures, CPUs, memory, system bus, and network interfaces. How to find a gold balance between the performance can be a gold balance point between the permeability of the equipment investment and the performance that can be provided will be an important task to choose the product. It is a recommended approach to the rationality of the number of consecutive connections.
With 10.5 concurrent connections to each user, a small and medium-sized enterprise network (1000 information points, accommodating 4 Class Class Class Class Class Space) Project 10.5 × 1000 = 10,500 concurrent connections, so support 20000 ~ 30000 maximum concurrency Connected firewall equipment can meet the needs; large enterprises networks (such as between 1000 ~ 1000), it will require 105,000 concurrent connections, so support 100,000 ~ 120000 maximum concurrently connected firewall to meet the actual situation of the company. Need; for large telecom operators and ISPs, the telecommunications grade Gigabit firewall (supporting 120,000 ~ 200,000 concurrent connections) is the appropriate choice. For low demand, high-end firewall equipment will cause waste of user investment, and use low-end devices that will not be able to achieve the expected performance indicators for high customer needs. Use the computer's overall concurrent connection requirements to select the appropriate firewall products to help users quickly and accurately position the products they need, avoid the blind pursuit of simple parameters "more better", shorten the design construction cycle, save enterprises Expenditure. Thereby the most reasonable security protocol is implemented for the enterprise.
While using concurrent connections, the comprehensive performance of the product, the manufacturer's research and development, capital strength, business credit and business risk, and product line technical support and after-sales service system should be included in the vision of the purchaser. In combination with many factors, it is integrated, and the publicity of the big concurrent connection in certain manufacturers advertising, and must be considered in accordance with the factors such as their business system, the size, development space and their own strength.
Key indicator of firewall - throughput
The data in the network consists of one data packet, and the firewall has resource for processing for each packet. The throughput refers to the number of packets of the firewall through the firewall within the unit time without packet.
With the increasing popularity of the Internet, the demand for internal network users accesses the Internet is increasing. Some companies need to provide services such as WWW page browsing, FTP file transfer, DNS domain, which will cause a sharp increase in network traffic. The firewall is the only data channel between the internal and external network. If the throughput is too small, it will become a network bottleneck, which has a negative impact on the transmission efficiency of the entire network. Therefore, inspecting the throughput of the firewall helps us better evaluate its performance performance. This is also an important indicator for measuring firewall performance.
The size of the throughput is mainly determined by the network card in the firewall, and the efficiency of the program algorithm, especially the program algorithm, will make the firewall system to make a lot of operation, and the traffic is greatly reduced. Therefore, although most firewalls are known as 100M firewalls, due to their algorithms relying on software implementation, traffic is far from being 100m, actually only 10m-20m. Pure hardware firewall, due to hardware, thus throughput can reach linear 90-95m, is a real 100M firewall. For small and medium-sized enterprises, selecting throughput is a firewall that is 100-to-level, and the large enterprise department of Telecom, Finance, Insurance and other companies needs to adopt throughput Gigabit firewall products.
