Number of concurrent connections to firewalls

The number of concurrent connections refers to the ability of a firewall or proxy server to handle its business information flow, is the maximum number of point-to-point connections that a firewall can handle at the same time, reflecting the ability of the firewall device to access and link state tracking for multiple connections, and the size of this parameter directly affects the maximum amount of information that the firewall can support.

The number of concurrent connections is an important index to measure the performance of firewalls. In the current market, the common firewall equipment in the manual can be seen, from low-end devices 500, 1000 concurrent connection, to high-end equipment tens of thousands of, hundreds of thousands of concurrent connection, there are several orders of magnitude difference. So what is the concept of concurrent connections? What impact does its size have on the user's daily usage? To understand the number of concurrent connections, you first need to understand a concept, that is, "session." This "conversation" is not our usual conversation, but can be used to understand the usual conversation, two people in the conversation, you a sentence, I, a question, we call it a dialogue, or call the conversation. Similarly, when we work with a computer, we open a window or a Web page, we can also call it a "session", extended to a local area network, all users to the Internet through the firewall, to open a number of Windows or Web page hair (that is, the session), then, this firewall, the maximum number of sessions can be processed , is the number of concurrent connections.

Like the router's routing table holds routing information, there is also a table in the firewall, which we call the concurrent join table, where the firewall is used to hold concurrent connection information, and it can dynamically allocate the memory space of the process after the firewall system starts, which is the maximum number of concurrent connections the firewall can support. Large concurrent connection tables can increase the maximum number of concurrent connections to the firewall, allowing the firewall to support more client terminals. Although it appears that the number of concurrent connections for similar products such as firewalls seems to be greater, the better. But at the same time, too large concurrent join table can also bring some negative effects:

1. The increase in the number of concurrent connections means the consumption of system memory resources

With each concurrent connection table entry occupying 300B calculation, 1000 concurrent connections will consume 300BX1000X8BIT/B≈2.3MB memory space, 10,000 concurrent connections will consume 23Mb of memory space, and 100,000 concurrent connections will occupy 230Mb memory space. And if you really try to implement 1 million concurrent connections, then this product will need to provide 2.24Gb of memory space!

2. Increase the number of concurrent connections should fully consider the processing capacity of the CPU

The main task of the CPU is to forward the traffic from one network segment to another network segment as quickly as possible, and in the process of forwarding the traffic according to a certain access control policy for license check, traffic statistics and access audit operations, This requires the firewall to continuously update read and write operations on the corresponding table entries in the Concurrent connection table. Regardless of the actual processing capacity of the CPU and rashly increase the system's concurrent connection table, it is bound to affect the firewall on the connection request processing delay, resulting in some connection timeout, so that more connection messages are sent back, resulting in more connection timeout, the final formation of avalanche effect, resulting in the entire firewall system crashes.

3. Physical link actual carrying capacity will seriously affect the firewall to play its ability to deal with the massive concurrent connection

Although many firewalls now offer 10/100/1000mbps network interfaces, because firewalls are typically deployed at the Internet exit, bottlenecks are always on the path between the client PC and the destination resource-the bottleneck link may be the 2Mbps line, It can also be a low speed link of 512Kbps or even 64Kbps. These congested low-speed links cannot carry too many concurrent connections at all, so even firewalls can support a large number of concurrent access connections and fail to perform their original performance.

In view of this, we should choose the appropriate scale of concurrent connection tables according to the specific situation of the network environment and the different internet habits of the individual. Because networks of different sizes produce concurrent connections of different sizes, and how users are accustomed to network services and how to use them, they also produce different concurrent connection requirements. Firewall devices with high concurrent connections often require customers to invest more equipment, because the increase in the number of concurrent connections involves data structure, CPU, memory, system bus and network interface, and many other factors. How to find a golden balance between a reasonable investment in equipment and the performance that can actually be provided is an important task for users to choose a product. It is a recommended method to measure the rationality of the scheme according to the number of concurrent connections.

With 10.5 concurrent connections per user, a small and medium enterprise Network (below 1000 information points, accommodating 4 C-class address spaces) probably requires 10.5x1000=10500 concurrent connections, Therefore, the firewall device that supports 20000~30000 maximum concurrent connection can meet the demand, and the large enterprise network (such as information points between 1000~10000) will probably need 105,000 concurrent connections. Therefore, the firewall supporting 100000~120000 maximum concurrent connection can meet the actual needs of enterprises. For large telecom operators and ISPs, the telecom-grade gigabit firewall (which supports 120000~200000 concurrent connections) is the right choice. The use of high-end firewall equipment for lower requirements will result in a waste of user investment, and the use of low-end devices for higher customer needs will not achieve the expected performance targets. The use of the network as a whole of concurrent connectivity requirements to select the appropriate firewall products can help users to quickly and accurately locate the products needed to avoid a simple parameter "the greater the better" blind pursuit, shorten the design and construction cycle, save the cost of enterprises. So as to implement the most reasonable safety protection scheme for the enterprise.