RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Bill James (bubbagates_at_comcast.net)
Date: 01/03/04

  • Next message: Paul Robertson: "Re: [fw-wiz] port 27015" 
    To: "'Marcus J. Ranum'" <mjr@ranum.com>, "'David Pick'" <d.m.pick@qmul.ac.uk>
Date: Sat, 3 Jan 2004 17:53:22 -0500

    > -----Original Message-----
    > From: Marcus J. Ranum [mailto:mjr@ranum.com]
    > Sent: Saturday, January 03, 2004 5:42 PM
    > To: Bill James; 'David Pick'
    > Cc: firewall-wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
    >
    > Bill James wrote:
    > >The problem with using ACL's is the load they can add to a
    > router. Most
    > >of Cisco's newer IOS' have IP Inspection and do OK but can add a
    > >tremendous load on the router.
    >
    > I've never found any good studies of ACL performance. Do you
    > have any references you can point us to?
    >
    > mjr.
    >
    >

    this is based on experience over the years and having clients wanting to
    run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb
    ram and a high volume link...On this particular site NAT is running,
    there are about 20 full-time PPTP users passing through to a MS server
    and approx. 15 permits in the ACL's with the customary deny all at the
    end

    On a typical day this router runs at 50 to 75 percent processor...(I
    know....I have explained to the customer the need to upgrade the router)

    I have even seen 2621's and 3600's get overloaded but the traffic was
    very high at the time...virus's were mainly the cause in all cases

    In any case I have seen with a PIX or IPTables, traffic did slow during
    virus and DDOS attacks but traffic still got through

    I wish I had some good studies for the sake of argument

    Bill James

    The objective of all dedicated employees should be to thoroughly analyze
    all situations, anticipate all problems prior to their occurrence, have
    answers for these problems, and move swiftly to solve these problems
    when called upon.

    However, When you are up to your ass in alligators it is difficult to
    remind yourself your initial objective was to drain the swamp.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Robertson: "Re: [fw-wiz] port 27015"

    Relevant Pages

    • Re: How Secure Is Too Secure?
      ... The trick is to load it up so much that the browser won't load any ... they can get a message back that port 12345 is closed....big deal. ... goes to the router, not my computers. ... Watch for holes, it's free! ...
      (comp.security.firewalls)
    • Re: How Secure Is Too Secure?
      ... The trick is to load it up so much that the browser won't load any ... they can get a message back that port 12345 is closed....big deal. ... goes to the router, not my computers. ... Watch for holes, it's free! ...
      (comp.security.firewalls)
    • Re: Microsoft websites are inaccessible
      ... can not get well formed pages to load at msdn2.microsoft.com nor can I ... When did my firewall learn to discriminate? ... msdn2 using the search results... ... the router. ...
      (comp.security.firewalls)
    • Re: Cisco 2651XM high cpu usage 12.4(25b)IPBASEK9
      ... I tried removing NAT and routing all the traffic to another router, ... gained a lot of CPU load, the issue should be the WIC slot's BUS that is ... driving a lot of CPU. ... If you want PBR to handle a significant load, ...
      (comp.dcom.sys.cisco)
    • Re: Microsoft websites are inaccessible
      ... I can not get well formed pages to load at msdn2.microsoft.com nor can I ... When did my firewall learn to discriminate? ... ProSafe VPN) but the Road Runner ISP requires dynamic DNS to be selected ... on the router. ...
      (comp.security.firewalls)