On 25 February 2010 22:30, Joel Wiramu Pauling
The place do to this is at the edges via routing policies and stateless ACLs, not in firewalls.
And, no, the largest enterprise firewalls make all these marketing claims about the numbers they can handle, but the reality is quite different - having spent the better part of a decade working for the largest vendor of firewalls in the world, I can assure you of that.
There is a trend in router manufacturers to offer flow classification add-in modules for doing service differentiation. While not state-full firewalls as such, they do deep packet inspection and flow tagging in much the same way. These are designed to scale with the routing capacity's. And they definitely exist. Also there is currently a bunch of cool pf kernalspace extensions being added to openbsd to allow similar offload to GPU's which would bring this sort of ability to consumer level hardware. This is a little off topic from the original context however. -JoelW