RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

From: Mark Gumennik (mgumennik_at_mitre.org)
Date: 01/05/04

  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RDP and security"
    To: "'Marcus J. Ranum'" <mjr@ranum.com>, "'Bill James'" <bubbagates@comcast.net>, "'David Pick'" <d.m.pick@qmul.ac.uk>, "'Paul Robertson'" <proberts@patriot.net>
    Date: Mon, 5 Jan 2004 12:14:00 -0500
    
    

    I have done some experiments with the router's ACL's
    I applied several different types (sic!) of ACLs with the number of
    lines from 20 to 500.
    Then I was banging it (the router) with different packets generated by
    SmartBits.
    I have tested 2 mid-size routers on 10 MBps and 100 MBps interfaces.

    The result was quit strange:

    On the ACLs based on "permit all" statement at the end:
    Almost independent of the length of the ACLs I have seen the routers
    starting packet drop at 20% of the interface speed (18 - 22 %) depending
    on the length) Keep in mind that the traffic was the same all the time,
    close to the real thing.

    On the ACLs based on "deny all" statement at the end:
    - much more dependant on the length of ACL and positioning of certain
    statements within the ACL.
    The packet drop started @ 40-50% of the line speed

    Mark G

    PS I'll be out to sea for a week

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Marcus
    J. Ranum
    Sent: Saturday, January 03, 2004 5:42 PM
    To: Bill James; 'David Pick'
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Comparisons between Router ACLs and Firewalls

    Bill James wrote:
    >The problem with using ACL's is the load they can add to a router. Most
    >of Cisco's newer IOS' have IP Inspection and do OK but can add a
    >tremendous load on the router.

    I've never found any good studies of ACL performance. Do you have any
    references you can point us to?

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] RDP and security"

    Relevant Pages

    • Re: Controlling Outbound Ports
      ... it's really just an ACL on our internet router and we have ... to a Router as a Broadcast Firewall even when there is no ACLs. ... the lower port theory is at least a plausible one. ...
      (microsoft.public.windows.server.networking)
    • RE: [fw-wiz] Cisco acls
      ... In my experience, I've only used ACLs on a router as a broad filter, ... contained the no access-group in, no access-list, etc. so you'd just ...
      (Firewall-Wizards)
    • Re: Cisco Router security basics and ASA firewall rules
      ... an edge router or internal router which stands in front of an ASA firewall. ... ACLs on the router and have all ACLs happening at the firewall. ...
      (Security-Basics)
    • Re: Web Filtering
      ... The central way to manage it is with a router that supports Access Control Lists (ACLs). ... Some routers provide content filtering as a $ub$sciption, but it doesn't work well, and still doesn't let you directly specify allowed sites. ... Then add the urls for allowed websites manually in your own DNS. ...
      (microsoft.public.win2000.networking)
    • Re: Easy VPN - client doesnt get config from server
      ... I should also add that the router also includes ACLs for FTP testing ... Easy VPN - client doesn't get config from server ...
      (comp.dcom.sys.cisco)