Re: [fw-wiz] Question on Cisco ASA's... do all the features slow it down?



greetings and salutations. peace to the nations.

well, i don't understand really what you mean by the packet sizes and first
match vs. last match. i am more a firewall apprentice than firewall wizard.

what i can definitely agree with is the performance data that a certain
company from the Bay Area says their firewalls can do around 200
Megabits/second. we are seeing 80% CPU load on the firewall (watched via
Nagios and Cacti) when we push around 10 Megabits/second.

how is this even a useful metric is my question? 200 Megabits/second with a
default ALLOW ANY to ANY ruleset on both in and out?? :P

-jg





On Dec 10, 2007 9:42 PM, Carson Gaspar <carson@xxxxxxxxxx> wrote:

jacob c wrote:
1) Firewall performance figures from all vendors are highly overrated on
the datasheets.

If you want to get a certain firewall company to complain to your senior
management that you're being "mean" and try and get you fired, demand 64
byte packet last-match performance numbers (as opposed to the 1500+ byte
first match numbers they'll try and give you). Also be very careful to
ask about behaviour when this limit is exceeded. It was very informative
to see which vendors were packet rate limited and which were bit rate
limited. The performance scaling with ruleset size was also interesting.
Sadly I don't know of any vendors that publish this data openly. I do
know that you can tell a good one by their reaction when you ask for it.

(And, no, I'm not making this up. But I'll refrain from naming names
since they can afford to sue me out of existence.)

--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • RE: [fw-wiz] CERT vulnerability note VU# 539363
    ... so vendors shoot for the former. ... > In my opinion if a stateful firewall claims it can filter at rate X ... > a stateless packet filter is going to be vulnerable to these sort ...
    (Firewall-Wizards)
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)