RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 01/04/04

  • Next message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"
    To: "Bill James" <bubbagates@comcast.net>, "'David Pick'" <d.m.pick@qmul.ac.uk>
    Date: Sat, 03 Jan 2004 18:11:00 -0500
    
    

    Bill James wrote:
    >this is based on experience over the years and having clients wanting to
    >run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb
    >ram and a high volume link...On this particular site NAT is running,
    >there are about 20 full-time PPTP users passing through to a MS server
    >and approx. 15 permits in the ACL's with the customary deny all at the
    >end

    I wonder if that's a typical mix. It'd be really cool if we could
    actually say things like "running NAT on a blah blah where
    the processor hits x% we measured a performance impact of
    y on a mix of 70/20/10 web/email/other traffic." There's a lot of
    intangibles but - well - I wish there were fewer! :)

    >On a typical day this router runs at 50 to 75 percent processor...(I
    >know....I have explained to the customer the need to upgrade the router)

    It sure would be neat if someone actually studied some of this stuff
    and did a whitepaper on the downstream performance effects of
    router load. That's what bugs me about all this stuff. We can sit
    here and say "the router is running at 50% processor" but what
    does that *MEAN* in terms of thruput?

    We security geeks have had performance played as a card against
    security over and over and over as long as I've been working this beat.
    I've seen many organizations that should know better leave important
    systems wide open because the router geeks blew "the performance
    impact of ACLs" in some manager's ear and security went out the
    window. I don't know how to beat it, but I bet some hard numbers
    would help a lot. With the antivirus thing you can usually get by with
    a rule of thumb like "antivirus will cost you 2% of your CPU performance"
    and most people will buy it and stop blowing performance smoke
    on that topic.

    So, whenever someone talks about ACL performance I ask them
    if they have any hard numbers. I'm still looking... :) Anyone on the
    list looking for a topic for a LISA paper?

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bill James: "RE: [fw-wiz] Comparisons between Router ACLs and Firewalls"

    Relevant Pages

    • Re: A home computer is a forensic evidence room
      ... A security plan that first covers recovery, and data protection is key. ... Anyone within range of your wireless transmission could connect to your network and use it or capture your computing sessions. ... reset the wireless router to factory: press and hold reset 20 seconds. ...
      (alt.2600)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • Re: Wireless intrusion - WPA and TKIP cracked with ease
      ... model number of ALL your wireless hardware. ... unpatched security holes in your unspecified router and firmware. ... protocols to select, but on a different page, had an encryption on/off ...
      (alt.internet.wireless)
    • RE: Cant enter 2 XP machines into a Workgroup
      ... I had my XP Home machine hard ... Firewalls like NIS modify Windows own security files. ... If a comsumer level router like those of Linksys and Netgear ...
      (microsoft.public.windowsxp.network_web)
    • Re: Cisco VPN AIM: is really needed for me?
      ... offloads the encryption and the only benefit is lower CPU utilization. ... As far as security goes, the 2600 series is supported on 12.4 code, ... IOS 12.4ADV SECURITY ...
      (comp.dcom.sys.cisco)