This brief presents FireWall-1 and VPN-1performance running on open platforms and selected Secured by Check Point Appliances. For performance data on all appliances and additional open platforms check out the Platform Selection Guide.

 

 

Gigabit Security Solutions:

• Security Acceleration

• Gateway Clustering

Scaling Connections and Tunnels:

• Concurrent Firewall Connections

• Concurrent VPN Tunnels

 

Security Acceleration

For high speed firewall and VPN gateways Check Point customers have a choice of multiple security acceleration solutions.

 

• VPN-1 Accelerator Cards improve VPN-1 gateway performance by offloading DES/3DES encryption from the host CPU to a cryptographic processor resident on a PCI compatible add-in card.
  
   

  • Check Point SecureXL Turbocard is a dedicated cryptographic accelerator card built upon Corrent Corporation''s Packet Armor security processor and IBM''s PowerNP network processor. Equipped with three integrate gigabit Ethernet interfaces, Turbocard is the world''s first multifunctional security line card capable of delivering nearly 3Gbps of VPN and firewall performance, even with small (64 byte) packets.

   

  • VPN-1 Accelerator Card III Wire-Speed VPNs are enabled by high performance encryption acceleration for 3DES IPSec/IKE VPN-1 deployments. Also offloads CPU for IKE session setup and SSL processing. The VPN Accelerator Card III can achieve up to 400Mbps IPSec-3DES performance.

   

  • VPN-1 Accelerator Card II Wire-Speed VPNs are enabled by high performance encryption acceleration for 3DES IPSec/IKE VPN-1 deployments. Also offloads CPU for IKE session setup and SSL processing. The VPN Accelerator Card II can achieve up to 200Mbps IPSec-3DES performance.
     

  • Intel Pro 100S is an Ethernet/Fast Ethernet network interface card with an onboard cryptographic coprocessor. This card is supported only for the Windows NT/2000 platforms.
     

  
   

• Check Point's new SecureXL API is an open interface that offloads multiple security processes to network processors or optimized software modules. Processes that can be offloaded include: FireWall-1 state table look-ups, encryption, public key operations, and network address translation. SecureXL-enabled solutions will be available in a number of form factors including software modules, PCI add-in cards, and SecureXL-enabled appliances. Currently available solutions leveraging the API include the following.
  
   

  • Check Point's Performance Pack is a software-based firewall and VPN acceleration module for Linux platforms. The Performance Pack greatly reduces the computing overhead associated with packet processing for existing connections by implementing access control, NAT, accounting, encryption, and anti-spoofing process at the hardware interrupt level.

   

  • Nortel's Alteon Switched Firewall System is a high-speed firewall solution consisting of a high performance switch and multiple FireWall-1 modules. The SecureXL API is used to copy connection table information for existing connections to the switch. The switch then handles packet processing for all ongoing connections achieving tremendous gains in firewall performance.

   

  • RapidStream Appliances are ASIC based firewall and VPN appliance solutions that leverage the SecureXL API to enable multi-Gigabit throughput. SecureXL offloads intensive firewall and VPN processes to RapidCore chips, RapidStream's custom programmable security ASICs.

   

  • Nokia Flows is a software-based firewall acceleration technology included with the IP Series appliances. Flows accelerates firewall throughput by implementing access control processes at the hardware interrupt level. This greatly reduces the computing overhead associated with processing a packet from an existing connection. Flows is similar to Check Point's Performance pack with the following exceptions:

     

    • Supports only Nokia's IPSO operating system

    • Based on an early implementation of the SecureXL API, Accelerates firewall throughput only.
       

Gateway Clustering Technologies

Check Point gateway clustering technologies enable Gigabit VPN-1/FireWall-1 gateway deployments with added benefit of high availability. Clustering solutions distribute traffic between multiple gateways connected in a cluster configuration. This way, the total computing capacity of multiple gateways can be combined to increase throughput capacity. In addition, if any cluster member becomes unavailable, those connections serviced by the unavailable gateway will fail-over to remaining cluster members. Check Point delivers two clustering technologies: ClusterXL and VPN Load Distribution.

 

 

ClusterXL

ClusterXL is a software-based load sharing and high availability add-on product for VPN-1/FireWall-1. With ClusterXL, both encrypted and non-encrypted traffic may be distributed between multiple gateways. Load sharing improves firewall/VPN throughput and connection establishment rate. Up to five gateways may be added to a cluster. In addition, ClusterXL provides "stateful" fail-over.

 

Stateful fail-over means that if a gateway goes down, all ongoing connections fail-over to a backup gateway without any interruption. The table below presents two gateway VPN Cluster performance using ClusterXL.

 

 

 

Test Gateways: SecurePlatform on dual Intel Xeon 3.06GHz
Load Sharing/High Availability Solution: Check Point ClusterXL
 

 

VPN Load Distribution

VPN Load distribution is a VPN-1 feature that distributes remote access connections between multiple gateways. Load distribution is achieved by configuring the remote clients (SecuRemote or SecureClient) to randomly select a gateway destination from a list of gateways configured in a cluster. Because the load distribution decision (and associated computing overhead) is distributed to the clients, performance gains with each additional gateway are perfectly linear and there is no limit to the number of gateways that can be added to a cluster. The chart below illustrates how four VPN-1 gateways may be combined to deliver 2.84 Gbps total VPN throughput. It is important to note that with VPN Load Distribution, fail-over is not stateful. If a gateway goes down, the connection will be interrupted. However, the VPN client will automatically find a new backup gateway to establish a new connection.

 

 

 

Test Gateways: Linux Dual Xeon 2.2 GHz with Performance Pack
Load Balancing/High Availability Solution: VPN-1 Load Distribution
 

Concurrent Firewall Connections

Concurrent firewall connections specifications refer to the number of simultaneous connections that can be maintained between hosts on either side of the firewall. Concurrent connection capabilities of a single gateway are primarily dependent upon the amount of memory available in the gateway appliance or server. A VPN-1/FireWall-1 system with 1 GB of memory can support 1,500,000 concurrent firewall connections. Keep in mind, however, that network bandwidth may prove to be a limiting factor before concurrent connections.

 

 

Concurrent VPN Tunnels

Concurrent VPN Tunnels specifications refer to the total number VPN tunnels that can be maintained between a single VPN gateway and peer VPN devices. Peer devices may include either remote access VPN clients or VPN gateways. This number is dependent upon the amount of memory available in the VPN appliance or server. A VPN-1/FireWall-1 system with 1 GB of memory can support up to 40,000 tunnels. Keep in mind, however, that since each tunnel consumes a certain amount of bandwidth, throughput limits may be reached before concurrent VPN tunnel limits. For example, if each tunnel consumes an average of 10 Kbps, 10,000 tunnels require 100 Mbps of network bandwidth.