RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 01/04/04

  • Next message: Timo Proescholdt: "[fw-wiz] netscreen 25 sofaware ipsec interop"
    To: "'Paul Robertson'" <proberts@patriot.net>
    Date: Sat, 3 Jan 2004 18:36:05 -0600
    
    

    inline

    Wes Noonan
    mailinglists@wjnconsulting.com
    http://www.wjnconsulting.com

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com [mailto:firewall-wizards-
    > admin@honor.icsalabs.com] On Behalf Of Paul Robertson
    > Sent: Saturday, January 03, 2004 18:23
    > To: Wes Noonan
    > Cc: 'Marcus J. Ranum'; 'Bill James'; 'David Pick'; firewall-
    > wizards@honor.icsalabs.com
    > Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls
    >
    > On Sat, 3 Jan 2004, Wes Noonan wrote:
    >
    > > One of the problems that we had when I was working for a company that
    > made
    > > network performance management tools was dealing with this exact issue.
    > > Because every packet size is variable in most networks (ATM, etc. are
    > > obvious exceptions), the impact that many things have on the performance
    > of
    > > a network device becomes almost impossible to make a general baseline
    > > statement about, much to the chagrin of the sales force. This is so true
    > > that Cisco (and most other vendors) typically refer to a set 64K packet
    > size
    > > in the small print on all of their performance metrics, although this is
    >
    > Erm, you mean 64 *byte* don't you?

    Err... been writing for about 10 hours today... eyes and brain getting
    tired... :-)
     
    > It already is, so the processing overhead is incremental, that's why Cisco
    > did so much work on access lists and ensuring the switching paths were as
    > fast as possible even without things like VIP cards. Seriously- adding
    > permits first for the bulk of the traffic will keep the router singing.
    >
    > I've had to overcome the "can't put filters on that router" thing for
    > production routers way too many times- and every single time, when the
    > rules were sane, the router's CPU wasn't even measurably impacted. Am I
    > beating a dead horse? Sure! Because it'll make it easier if people
    > understand that for most routers, IF you do it right, extended access
    > lists won't hurt it- if they do, the router's seriously underconfigured
    > anyway- the ACLs won't be the real issue.

    Oh, I agree completely. It's been my experience that pretty much any time
    ACLs caused a problem on the router it was really just a symptom of another
    problem, generally having too small a device trying to perform the role.
    I.e. wedging a 1720 to service all routing for a few hundred users is the
    problem, if you know what I mean.
     
    > You can produce some general numbers and a traffic profile that's "good
    > enoough" to measure with. Traffic like multicast, and traffic *to* the
    > router will do more to impact performance than stuff you're passing
    > through it, since those are process switched (AFAIR) and that's where the
    > real hits come from.

    Agreed. The problem comes into the question of what is "good enough". Some
    folks are overly anal-retentive on this subject.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Timo Proescholdt: "[fw-wiz] netscreen 25 sofaware ipsec interop"

    Relevant Pages

    • [EXPL] 3Com OfficeConnect 812/840 Router DoS Exploit Code
      ... 3Com OfficeConnect 812/840 Router DoS Exploit Code ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... employ another method supported on these products called access lists. ...
      (Securiteam)
    • Re: 13. Re: FC9 NetworkManager & WPA (Tim)
      ... lists of available authentication methods it worked - as the other guy ... make sure the router is configured with WPA. ... You plug in your new wireless router, ... read messages from the public lists. ...
      (Fedora)
    • Re: dorm room WAP - DI-614 vs WRT54G
      ... Their internal network web page has suggestions for WAP ... Their store lists a few others including 11n ... Any computers connected to ResNet through your router or wireless ... infected computer is cleaned." ...
      (alt.internet.wireless)
    • Routing and VPN troubles...
      ... There are about a 1000 different lists - hope this is the right one - if ... That is the essence of the firewalling / port filtering of the VPN - like ... can I trest the virtual VPN interfaces as normal interfaces for purposes of ... the router, not each other... ...
      (freebsd-net)