On Mon, 24 Jan 2000, David Lang wrote:
> If the firewall is between two LANs then I would possibly worry about it,
> but when the firewall is connecting to the internet consider wht sort of
> latencies you will see from your switch or firewall compared to the time
> needed to get across the internet. If you are lucky and both you and your
> destination are on good connections you should see internet latencies in
> the range of 40-100ms modem users survive with latencies starting at
Actually, at my current for the next few days employer, we were starting
to look into DWDM solutions for our Metro Area Network, and I'd have
expected single-digit latencies to our peering points.
> ~200-300ms and I am not aware of much (other then game stuff) where
> latencies start to be a real problem before they get over ~500ms (please
> correct me if you have other info)
High-end streaming media users find latency to be significant, especially
when trying to do certain things, most of it is production-quality stuff
where high bandwidth is a necessity.
We typically depreciated hardware on a 4 or 6 year cycle, so dropping
something in today meant having to support it in production for at least 3
years. That changes the landscape of how far ahead you need to scale
systems for, and makes you look pretty hard for the optimum solution given
the budget and performance.
> what sort of latencies are you expecting to see from the switch or
> firewall?
For packet filtering, I don't like to see more than 3ms. From a proxy,
20ms is about optimum, 50 on the outside.
> Also I would expect that any firewall should have packet defragmenting
> turned on to protect the internal machines, even though this costs more
> CPU/memory on the firewall and does add some latency as the packet cannot
> be re-transmitted until it is fully received.
It really depends on what kind of firewall and what your security posture
is compared to your performance requirements. For packet filters, I'd say
that it'd have to be a pretty unusual circumstance to have me not defrag
packets though.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
