Firewall concurrent connections

The number of concurrent connections refers to the ability of the firewall or proxy server to process the business information flow. It is the maximum number of point-to-point connections that the firewall can simultaneously process, it reflects the access control and connection status tracking capabilities of firewall devices for multiple connections. The size of this parameter directly affects the maximum number of information points supported by the firewall.

The number of concurrent connections is an important indicator of firewall performance. From the descriptions of common firewall devices on the market, we can see that from 500 and 1000 concurrent connections of low-end devices to tens of thousands and hundreds of thousands of concurrent connections of high-end devices, there are several orders of magnitude differences. So what is the concept of concurrent connections? What is the impact of its size on users' daily use? To understand the number of concurrent connections, you must first understand the concept of "session ". This "session" is not our usual conversation, but it can be understood in our usual conversation. When two people are talking, you say, I say, answer, we call it a conversation or a session. Similarly, when we work on a computer, we can call a window or Web page a "session" and extend it to a LAN, all users need to access the Internet through the firewall and open many windows or Web pages (that is, sessions). Then, the maximum number of sessions that the firewall can process is "concurrent connections ". Like a router's route table that stores route information, the firewall also has such a table. We call it a concurrent connection table, where the firewall stores concurrent connection information, after the firewall system is started, it can dynamically allocate the memory space of the process, which is the maximum number of concurrent connections supported by the firewall. The large concurrent connection table can increase the maximum number of concurrent connections of the firewall and allow the firewall to support more client terminals. Although it seems that the larger the number of concurrent connections of similar products such as firewalls, the better. But at the same time, too large concurrent connection tables will also have a negative impact:

1. The increase in the number of concurrent connections means the consumption of system memory resources.
1000 concurrent connections occupy 1000 B of memory, 10000 concurrent connections occupy B x 8 bit/B ≈ MB of memory, and concurrent connections occupy 23 MB of memory, 100000 concurrent connections will occupy 1000000 MB of memory space. If you try to implement concurrent connections, this product requires GB of memory space!

2. the CPU processing capacity should be fully taken into account for the increase in the number of concurrent connections
The main task of the CPU is to transfer the network traffic from one CIDR block to another CIDR block as quickly as possible, in addition, during the forwarding process, the traffic is checked based on a certain access control policy, traffic statistics, and Access Audit, this requires the firewall to constantly update the read/write operations on the corresponding table items in the concurrent connection table. If you increase the system's concurrent connection table regardless of the actual processing capacity of the CPU, it will inevitably affect the firewall's delay in processing connection requests, resulting in some connection times out and re-sending more connection packets, in this case, more connections are timed out, and an avalanche effect is formed, causing the entire firewall system to crash.

3. The actual Carrying Capacity of physical links will seriously affect the firewall's ability to process massive concurrent connections.
Although many firewalls currently provide 10/100/Mbit/s network interfaces, the firewalls are usually deployed at the Internet egress and are located in the path between the client PC and the target resource, there is always a bottleneck link-the bottleneck link may be a 2 Mbps leased line, or a 512Kbps or even 64 Kbps low speed link. These crowded low-speed links cannot carry too many concurrent connections at all, so even if the firewall can support large-scale concurrent access connections, it cannot exert its original performance.

In view of this, we should select a suitable number of concurrent connection tables based on the specific circumstances of the network environment and different Internet surfing habits of individuals. Because different networks of different sizes will produce different concurrent connections, and users will also have different requirements for concurrent connections as to what kind of network services are used to and how to use these services. Firewall devices with high concurrent connections usually require customers to invest in more devices, because the increase in the number of concurrent connections involves data structures, CPU, memory, system bus, network interfaces, and other factors. Finding a golden balance between reasonable equipment investment and actually providing performance is an important task for users to choose products. It is recommended to judge the rationality of the scheme based on the number of concurrent connections.

It is calculated that each user requires 10.5 concurrent connections. A small and medium-sized enterprise network (less than 1000 information points, which can accommodate 4 class C address spaces) requires about 10.5 × 1000 = 10500 concurrent connections, therefore, 20000 ~ 30000 of the maximum number of concurrent connections to firewall devices can meet the needs; large enterprises and institutions (such as the number of information points in 1000 ~ 10000) it will require 105000 concurrent connections, so 100000 to connections are supported ~ The firewall with a maximum of 120000 concurrent connections can meet the actual needs of enterprises. For large telecom operators and ISPs, the gateway-level gigabit firewall (supporting 120000 ~ 200000 concurrent connections) is the right choice. The adoption of high-end firewall devices for a lower demand will result in a waste of user investment. The adoption of low-end devices for Higher customer needs will not be able to meet the expected performance indicators. Selecting appropriate firewall products based on the overall concurrent connection requirements of the network can help users quickly and accurately locate the desired products, avoid the blind pursuit of a single parameter "bigger and better", shorten the design and construction cycle, and save the company's expenses. So as to implement the most reasonable security protection solutions for enterprises.

When using the concurrent connection count indicator to select a firewall product, the comprehensive performance of the product, the R & D strength of the manufacturer, the capital strength, the business reputation and business risks of the enterprise, as well as the technical support of the product line and the after-sales service system should be included in the purchaser's vision, by combining various factors for comprehensive consideration, we must not blindly listen to the promotion of large concurrent connections in advertisement promotion of some manufacturers, you must consider your business system, enterprise scale, development space, and strength based on various factors.