Page 1
COMMUNIQUÉ
.
.
.
.
September, 1997
Prepared By
Internet Solutions
Engineering and Asia
Pacific Division
Engineering Support
Compaq Computer
Corporation
CONTENTS
Executive Summary ..............0
Overview of Novell
BorderManager
Features ......................... 0
Performance
Results........................... 0
Comparison of 10 Mbps Shared
and 10 Mbps Switched...........0
Comparison of 10 Mbps
Switched and 100 Mbps Shared
Network............................... 0
ECG028.0897
.
.
.
.
Novell BorderManager
.
.
.
.
.
.
.
Performance Management on
.
.
.
.
.
.
.
Compaq Server Platforms
.
.
.
.
.
.
.
.
.
Executive Summary
.
.
.
.
.
.
What is BorderManager?
.
.
.
.
.
Novell BorderManager is the industry’s first integrated family of directory-based network services
.
.
.
that manages, secures, and accelerates user access to information at every network border—the
.
.
.
point where any two networks meet. Through a single point of administration, you can manage
.
.
.
network security policies, protect confidential information, establish user access privileges to
.
.
.
Internet content, and reduce WAN connectivity costs. BorderManager improves intranet and
.
.
.
Internet access and provides a standards-based performance foundation to support your company’s
.
.
.
network infrastructure. Features include packet filters, application proxy services, circuit gateways,
.
.
.
advanced proxy cache, secure remote access and Virtual Private Network, with end-to-end
.
.
.
encryption across the Internet.
.
.
.
.
A detailed description of each firewall component begins on page 3. Novell BorderManager
.
.
.
improves the performance of Web servers by providing Proxy cache services and HTTP
.
.
.
Acceleration, also referred to as Reverse Proxy.
.
.
.
.
.
.
.
Compaq/Novell Joint Effort
.
.
.
.
• Compaq and Novell engineers working together enabled comprehensive Proxy Cache, HTTP
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
Acceleration, IP/IP and IP/IPX Gateway, and VPN testing. The Compaq engineering team
consisted of representatives from the Asian Pacific Division, Novell Internet Solutions
Division, and Novell Core Technologies Division. Novell engineers from the Information
Access Division, Advanced Development Group, and Novell SuperLabs contributed to the
overall test effort. Support from BorderManager developers was also provided when
necessary.
• Testing was conducted in Novell’s SuperLab in Provo, Utah. This facility consists of over
1400 PC’s of various types and networking equipment. Using switches and routers combined
with the ability to create various WAN links, a real world network was simulated.
Performance Improvements
• Enabling Proxy Cache can increase requests per second as much as 118% while throughput
can increase as much as 116% for a 10Mbps network.
• Enabling HTTP Accelerator can increase requests per second as much as 286% while
throughput can increase as much as 282% for a 10Mbps network. Increases in requests per
second can be as much as 575% while throughput can be increased by as much as 591% when
upgrading to a 100Mbps network.
Page 2
Communiqúe (cont.)
.
.
NOTICE
.
.
.
.
.
The information in this publication is subject to change without notice.
.
.
.
ECG028.0897
.
.
.
.
COMPAQ COMPUTER CORPORATION SHALL NOT BE LIABLE FOR TECHNICAL
.
.
.
OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR
.
.
.
INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE
.
.
FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL.
.
.
.
.
.
This publication does not constitute an endorsement of the product or products that were tested.
.
.
.
The configuration or configurations tested or described may or may not be the only available
.
.
.
solution. This test is not a determination of product quality or correctness, nor does it ensure
.
.
.
compliance with any federal, state or local requirements. Compaq does not warrant products other
.
.
.
than its own strictly as stated in Compaq product warranties.
.
.
.
.
Product names mentioned herein may be trademarks and/or registered trademarks of their
.
.
.
respective companies.
.
.
.
.
.
Compaq, ProLiant, SmartStart, and NetFlex are registered with the United States Patent and
.
.
.
Trademark Office.
.
.
.
.
Netscape Navigator is a registered trademark of Netscape Communications Corporation.
.
.
.
.
.
Other product names mentioned herein may be trademarks and/or registered trademarks of their
.
.
.
respective companies.
.
.
.
.
©1997 Compaq Computer Corporation. All rights reserved. Printed in the U.S.A.
.
.
.
.
.
Novell and BorderManager are trademarks and/or registered trademarks of Novell Incorporated.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
Page 3
Communiqúe (cont.)
.
.
.
.
.
.
OVERVIEW OF NOVELL BORDERMANAGER FEATURES
.
.
.
.
ECG028.0897
.
Novell BorderManager offers a comprehensive, effective firewall-class solution that includes the
.
.
.
following components: Packet Filtering, Proxy Cache Services, Access Control Services, Novell
.
.
.
IP Gateway, Network Address Translation, and Virtual Private Network (VPN).
.
.
.
.
.
.
.
Proxy Cache
.
.
.
.
Using proxy cache, a WWW browser on your network or intranet sends a user's request for a file
.
.
.
residing on an Internet server to your HTTP proxy, which checks its cache for the file. If the file is
.
.
.
in cache, the proxy returns the file to the browser without having to retrieve the file from the
.
.
.
Internet server. If the file is not in cache, the proxy retrieves the file from the Internet, stores a copy
.
.
.
of the file in cache, and returns this file to the browser.
.
.
.
.
.
.
.
HTTP Accelerator (Reverse Proxy)
.
.
.
.
You can also configure the HTTP proxy to perform HTTP acceleration, meaning that the proxy
.
.
.
stores in cache a copy of files residing on your local WWW servers. Then when a WWW browser
.
.
.
on the Internet requests a file that resides on one of these servers, the proxy can retrieve the file
.
.
.
from its cache. In this way, the proxy shields your local WWW servers from the Internet and
.
.
.
conserves bandwidth by reducing the number of file requests sent over your network or intranet.
.
.
.
.
.
.
Virtual Private Network (VPN)
.
.
.
.
.
Organizations often need to connect multiple sites as well as customers, business partners and
.
.
.
outside contractors. The Internet allows organizations to use public networks to connect sites at a
.
.
.
much lower cost than using dedicated, private lines. Data between sites is encrypted to provide
.
.
.
security. Companies can combine sites into subnetworks called Virtual Private Networks (VPNs)
.
.
.
that can utilize the Internet and run on top of their existing enterprise networks.
.
.
.
.
.
.
IP / IP and IPX / IP Gateways
.
.
.
.
.
The IPX/IP gateway provides protocol translation for IPX clients, which enables them to access the
.
.
.
Internet (and TCP/IP Intranet servers) without running TCP/IP. This reduces the amount of work
.
.
.
a systems administrator has in managing IP addresses. To use the IPX/IP gateway, IPX clients
.
.
.
must run the enhanced WINSOCK.DLL file.
.
.
.
.
In addition to performing protocol translation, the IPX/IP gateway establishes a connection to the
.
.
.
Internet on behalf of the client, ensuring that there is no direct contact between the Internet host
.
.
.
and the client. The IP/IP gateway performs a similar service for IP clients. Because the gateways,
.
.
.
not the client establish the connection to the Internet, all packets that pass through the gateways
.
.
.
appear to have originated from the gateways rather than from the clients, shielding your network or
.
.
.
intranet clients from potential untrustworthy hosts.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
Page 4
Communiqúe (cont.)
.
.
.
.
.
.
PERFORMANCE RESULTS
.
.
.
.
ECG028.0897
.
.
Proxy Cache
.
.
.
.
.
Proxy cache tests were conducted using Ziff Davis WebBench™ 1.1 (WebBench™ simulates Web
.
.
.
server access). When proxy caching was enabled, the utilization on the Web Server was very low.
.
.
.
Web Server access only occurs when requested pages are not cached on the proxy server. As such,
.
.
.
a dramatic performance improvement is observed.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4
• Requests per second (RPS) increased by an average of 54.3% with a maximum of 118.6%
• Throughput increased by an average of 52.8% with a maximum of 116.8%
Note: Throughout the proxy cache tests, the network utilization on one server NIC averaged 40%50% with a peak utilization of 62%.
1. For basic router functionality, a ProLiant 800 with 64MB of RAM is the best choice.
Processor utilization averages 5% with no noticeable decrease in performance. A more
powerful server is unnecessary.
2. The ProLiant 5000 1P 128MB RAM performed slightly better than the ProLiant 800 1P
128MB RAM.
3. Increased client loads demand additional processing power, therefore a 2-processor ProLiant
5000 is recommended. Utilization rises due to an increase in processes required to service
network interface cards.
However, please bear in mind that these are preliminary test results, a more detailed analysis with
benchmarking will follow later.
Note: In a real-world environment, the performance gain will be even higher considering
most of the outgoing links to the Internet / Extranet are based on T1 links while these tests
were conducted with a 100Mbps link from the Proxy Server to the Web Server.
HTTP Accelerator (Reverse Proxy)
Unlike a normal proxy configuration, with HTTP acceleration, there is a performance improvement
compared to the baseline of 48 clients and above.
• Requests per second (RPS) increased by an average of 325% with a maximum of 575%
• Throughput increased by an average of 352% with a maximum of 591%
• Memory does not affect performance as much as it did under normal proxy configuration
for the ProLiant 5000.
• Increasing memory has no effect on performance with low client loads but provide
minimal increase of performance at higher client loads.
• Adding processors has minimal effect on performance with low client loads but provide
modest increase of performance at higher client loads.
• Performance of a 2-processor configuration increased by an average of 11.1% with a
maximum of 38.9% over a 1-processor configuration. However, it should be noted that
the processor utilization is 100% on the 1st processor and around 5% on the 2nd processor.
The gain comes from servicing the interrupts generated by the network cards in the server.
With higher client loads this can become critical.
Page 5
Communiqúe (cont.)
.
.
IP/IP and IPX/IP Gateway
.
.
.
.
Tests where conducted using a program written by Novell called Charlotte. Charlotte uses
.
.
.
Netscape Navigator to access a user-determined list of URLs. This provides for simulation of real
.
ECG028.0897
.
.
Web usage.
.
.
.
.
After 12 hours of continuous testing there where no dropouts on the IPX / IP gateway and 6
.
.
.
occurred on the IP / IP gateway. The dropouts on the IP / IP gateway can be attributed to Netscape
.
.
.
Navigator’s, not the gateway itself. During the test, average server utilization was 5%.
.
.
.
.
.
.
.
VPN
.
.
.
.
VPN tests were conducted using NetBench® 5.01 (A Ziff Davis program which simulates normal
.
.
.
network traffic)
.
.
.
.
.
1. With VPN enabled, the throughput decreased by 46%.
.
.
.
.
2. Processor utilization never exceeded 25% throughout the test on both the ProLiant 6000
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
(Master VPN) and the ProLiant 800 (Slave VPN).
3. The encryption process causes the decrease in throughput. Encrypted data is larger than its
non-encrypted source, which causes the available bandwidth to be saturated quicker.
However, this is a small price to pay considering the cost savings on dedicated lease lines.
4. We feel that the performance of VPN is comparable to other similar products.
Comparison of 10 Mbps Shared and 10 Mbps Switched
Moving from a 10 Mbps shared Ethernet at the clients to 10 Mbps switched Ethernet improves the
performance by as much as 142%.
Novell engineers were doing a separate test on a 100 Mbps Ethernet network and from the results,
it can be expected that the performance will improve by at least 200%.
Comparison of 10 Mbps Switched and 100 Mbps Shared Network
Testing by Novell Engineers has shown that changing to a 100 Mbps network will further improve
the performance by about 200%. There was an average 92% increase in requests per second using
an equivalently configured ProLiant 6000 on a shared 100 Mbps network compared to a ProLiant
5000 on a 10 Mbps switched network. Throughput increased by an average of 111%.
Loading...