RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
From: Marcus J. Ranum (mjr_at_ranum.com)
To: "Bill James" <firstname.lastname@example.org>, "'David Pick'" <email@example.com> Date: Sat, 03 Jan 2004 18:11:00 -0500
Bill James wrote:
>this is based on experience over the years and having clients wanting to
>run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb
>ram and a high volume link...On this particular site NAT is running,
>there are about 20 full-time PPTP users passing through to a MS server
>and approx. 15 permits in the ACL's with the customary deny all at the
I wonder if that's a typical mix. It'd be really cool if we could
actually say things like "running NAT on a blah blah where
the processor hits x% we measured a performance impact of
y on a mix of 70/20/10 web/email/other traffic." There's a lot of
intangibles but - well - I wish there were fewer! :)
>On a typical day this router runs at 50 to 75 percent processor...(I
>know....I have explained to the customer the need to upgrade the router)
It sure would be neat if someone actually studied some of this stuff
and did a whitepaper on the downstream performance effects of
router load. That's what bugs me about all this stuff. We can sit
here and say "the router is running at 50% processor" but what
does that *MEAN* in terms of thruput?
We security geeks have had performance played as a card against
security over and over and over as long as I've been working this beat.
I've seen many organizations that should know better leave important
systems wide open because the router geeks blew "the performance
impact of ACLs" in some manager's ear and security went out the
window. I don't know how to beat it, but I bet some hard numbers
would help a lot. With the antivirus thing you can usually get by with
a rule of thumb like "antivirus will cost you 2% of your CPU performance"
and most people will buy it and stop blowing performance smoke
on that topic.
So, whenever someone talks about ACL performance I ask them
if they have any hard numbers. I'm still looking... :) Anyone on the
list looking for a topic for a LISA paper?
firewall-wizards mailing list