RE: [fw-wiz] Defense in Depth to the Desktop

From: Scott Stursa (stursa_at_mailer.fsu.edu)
Date: 12/08/04

  • Next message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop" 
    To: Chris Pugrud <cpugrud@yahoo.com>
Date: Wed, 8 Dec 2004 15:28:12 -0500 (EST)

    On Mon, 6 Dec 2004, Chris Pugrud wrote:

    > Organizations with a Cisco core can upgrade to the firewall feature set to gain
    > the stateful packet filtering required to implement the model, at least that's
    > how I'm doing it in one fairly large environment.

    Really? On what kind of hardware?

    Our experience, at least with CAT6500s running SUP2, is that CBAC can
    be a real dog (Context Based Access Control, the "stateful inspection"
    piece of Firewall Feature Set). It works okay for small departmental nets,
    but if you have 150+ desktops busily accessing numerous resources outside
    their subnet (i.e., through the CBAC ACL), it can have a serious
    performance impact.

    And don't even think about running it on a CAT5500/RSM.

    Don't know about a 6500 equipped with a SUP720, but even if the
    performance is improved, functionally FFS is no substitute for a PIX or a
    FWSM.

    - SLS

    ------------------------------------------------------------------------
    Scott L. Stursa 850/645-2397
    Network Security Assessment stursa@mailer.fsu.edu
    Technology Integration/User Services Florida State University

                         - No good deed goes unpunished -
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Chris Pugrud: "RE: [fw-wiz] Defense in Depth to the Desktop"