Re: Speed of firewall with AV/DI (Was Re: Small office firewall/vpn/security appliance)
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Speed of firewall with AV/DI (Was Re: Small office firewall/vpn/security appliance)

From: Somebody. <somebody.@spamout.russdoucet.com>
Date: Wed Sep 28 2005 - 13:27:45 CEST




"CCMiami" <nospam@modeldriven.org> wrote in message 


news:ypc_e.70756$Cc5.61492@lakeread06...


> Based on the note from Russ (below) the speed of the firewall with all the 


> options turned on is an issue.  We would like to have some protection 


> turned on internaly (to the servers in the DMZ) as well as on the external 


> side in case people pick up viruses and bring them in (we have a lot of 


> people with laptops).  We aslo don't want the network running at a crawl!


>


> Has anyone done speed tests on the routers with the options on?  Or, are 


> there reviews or information from the suppliers?


>


> The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS 


> and up to around 8 to 10Mbps AV, give or take depending on the traffic and 


> the configuration.



A FG60 is a great box for most smallish offices running DSL, T1, or 


something up to maybe around 10Mbps.



It's not sufficient for using in front of internal servers from which you 


expect 100Mbps LAN-speed performance.



If your servers are things like web servers with a moderately low demand, 


you're probobably fine with using it with IPS enabled and getting in that 


50Mpbs range.  Similar for mail servers unless they're a well-used Exchange 


or Notes type application server, but a sendmail type box for strictly email 


should be fine.  I would think you could probably enable virus scan on 


incoming email only in that config (mail server in the DMZ) but I wouldn't 


push your luck much farther than that, and I would tune it as much as 


possible and keep an eye on the system resources.



The numbers I'm giving to you come from Fortigate's internal testing and my 


own field experience.  They really, truly do vary a lot based on your 


implementation.



Why don't you tell me a big more about that... what kind of servers are 


going where, how busy they are, what your main Internet feed is, and what 


protections you want where?



I have done implementations of Fortigates in front of internal servers but 


they were significantly bigger boxes than a FG60.



-Russ. 


Received on Thu Sep 29 20:11:08 2005