On 10/4/06, Tommaso Di Donato <[EMAIL PROTECTED]> wrote:
> On 10/4/06, Rainer Duffner <[EMAIL PROTECTED] > wrote:
> > At least in this respect, pfSense is still a clear packet-filter only ;-)
> > And ideally, it should stay this way while analyzing packet-content
> > should occur elsewhere (because it also needs much more CPU-power).
>
>
> Sorry, but I do not agree totally with you: the thing I love with pfSense is
> that it is possible to install it everywhere, so it could be a _real_
> competitor to enterprise products (like Cisco ASA). So, I think that
> CPU-power should not be a limit.
We have a serious disadvantage against hardware firewalls. Where they
can crank out ASICs tuned to specific needs (which comes with a
disadvantage we don't have...flexibility), we're stuck with general
purpose CPU's which aren't necessarily fast. Thankfully, encryption
boards supported by FreeBSD aren't terribly difficult to come by, but
there's other code paths that could be sped up considerably by
hardware optimized for it.
You're totally right, I know. But I think we have to consider at lest 2 factors:
1) I am not aware (please, somebody out there perhaps could help me) of any table or benchmark result that could help us to have a rough estimation of CPU load during a normal IPS work. My intention is to install a solution not gui-managed (just to speed up the testing phase), and try to do such an estimation
2) there can be installations or places, in which a normal hardware (such as mini-itx mobos) could be sufficient to manage the cpu load, because of a small internet link.
I only would like to know if this could be of any interest for the community (so at the end of the test, I have to deal with package creation), or if I'll be the only interested in that. Just to know....
Tom
