Re: Speed of firewall with AV/DI (Was Re: Small office firewall/vpn/security appliance)
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Speed of firewall with AV/DI (Was Re: Small office firewall/vpn/security appliance)

From: CCMiami <nospam@modeldriven.org>
Date: Thu Sep 29 2005 - 06:39:14 CEST



Ok,


The servers in the DMZ provide Mail, web, wiki, ftp, minor DBMS and version 


control.


The FTP and version control can demand high bandwidth - but these are 


exactly the places I would like to have an extra check for, so we don't get 


a virus checked in or infecting the servers from an infected laptop.


The external connection is 2 up/ 4 down business cable (he said with 


trepidation)



So, (he said cringing) how far up the scale do you have to go to get AV 


running at better than, say, 50Mbps?



"Somebody." <somebody.@spamout.russdoucet.com> wrote in message 


news:Y6v_e.13258$p5.13093@nnrp.ca.mci.com!nnrp1.uunet.ca...


>


> "CCMiami" <nospam@modeldriven.org> wrote in message 


> news:ypc_e.70756$Cc5.61492@lakeread06...


>> Based on the note from Russ (below) the speed of the firewall with all 


>> the options turned on is an issue.  We would like to have some protection 


>> turned on internaly (to the servers in the DMZ) as well as on the 


>> external side in case people pick up viruses and bring them in (we have a 


>> lot of people with laptops).  We aslo don't want the network running at a 


>> crawl!


>>


>> Has anyone done speed tests on the routers with the options on?  Or, are 


>> there reviews or information from the suppliers?


>>


>> The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS 


>> and up to around 8 to 10Mbps AV, give or take depending on the traffic 


>> and the configuration.


>


> A FG60 is a great box for most smallish offices running DSL, T1, or 


> something up to maybe around 10Mbps.


>


> It's not sufficient for using in front of internal servers from which you 


> expect 100Mbps LAN-speed performance.


>


> If your servers are things like web servers with a moderately low demand, 


> you're probobably fine with using it with IPS enabled and getting in that 


> 50Mpbs range.  Similar for mail servers unless they're a well-used 


> Exchange or Notes type application server, but a sendmail type box for 


> strictly email should be fine.  I would think you could probably enable 


> virus scan on incoming email only in that config (mail server in the DMZ) 


> but I wouldn't push your luck much farther than that, and I would tune it 


> as much as possible and keep an eye on the system resources.


>


> The numbers I'm giving to you come from Fortigate's internal testing and 


> my own field experience.  They really, truly do vary a lot based on your 


> implementation.


>


> Why don't you tell me a big more about that... what kind of servers are 


> going where, how busy they are, what your main Internet feed is, and what 


> protections you want where?


>


> I have done implementations of Fortigates in front of internal servers but 


> they were significantly bigger boxes than a FG60.


>


> -Russ.


> 


Received on Thu Sep 29 20:11:13 2005