Re: [fw-wiz] Question on Cisco ASA's... do all the features slow it down?


My original reply based on the assumption that you were thinking about the ASA box because you wanted a UTM style box. If that is the case, my opinion is that Cisco is always behind the curve when it comes to their secuirty boxes. The ASA itself is a box itself that came out two years AFTER everyone else was already producing UTM appliances. Therefore, vendors, like Juniper and Fortinet have been a multi-function box for quite a while and they are very mature platforms. Also, you can't completely manage an ASA through the GUI. You will still have to learn lots of CLI.

All I'm saying, is that it shouldn't be that hard. Technology should be simpler once it's been around for a while and it is with other vendors. Please keep in mind that I am NOT anti-cisco. Feature for feature, they still make the best routers and switches around and their VoIP solution is pretty mature nowadays too. I just don't think much of their security appliances. I actually work for a consulting company and I sell/support all three vendor's appliances.

In the end, if you want a UTM style box, which is the current trend, research your options besides Cisco. This includes browing the Cisco-nsp forum as well and you will see enough validation for my claims.


"John G." <isaac737@xxxxxxxxx> wrote:
greetings and salutations. peace to the nations.

well, i don't understand really what you mean by the packet sizes and first match vs. last match. i am more a firewall apprentice than firewall wizard.

what i can definitely agree with is the performance data that a certain company from the Bay Area says their firewalls can do around 200 Megabits/second. we are seeing 80% CPU load on the firewall (watched via Nagios and Cacti) when we push around 10 Megabits/second.

how is this even a useful metric is my question? 200 Megabits/second with a default ALLOW ANY to ANY ruleset on both in and out?? :P


On Dec 10, 2007 9:42 PM, Carson Gaspar < carson@xxxxxxxxxx> wrote:
jacob c wrote:
1) Firewall performance figures from all vendors are highly overrated on
the datasheets.

If you want to get a certain firewall company to complain to your senior
management that you're being "mean" and try and get you fired, demand 64
byte packet last-match performance numbers (as opposed to the 1500+ byte
first match numbers they'll try and give you). Also be very careful to
ask about behaviour when this limit is exceeded. It was very informative
to see which vendors were packet rate limited and which were bit rate
limited. The performance scaling with ruleset size was also interesting.
Sadly I don't know of any vendors that publish this data openly. I do
know that you can tell a good one by their reaction when you ask for it.

(And, no, I'm not making this up. But I'll refrain from naming names
since they can afford to sue me out of existence.)


firewall-wizards mailing list

firewall-wizards mailing list

Never miss a thing. Make Yahoo your homepage._______________________________________________
firewall-wizards mailing list

Relevant Pages

  • IPS test criteria (was IDSIPS that can handle one Gig)
    ... Chris - what makes ICSA particularly relevant when it comes to defining IPS ... Speak to the vendors who were at their recent forum meeting ... a wide range of traffic loads and packet sizes. ... wide range of test criteria). ...
  • Re: Detecting covert data channels?
    ... This is long pending problem for IDS/IPS vendors. ... To resolve issues with Encrypted Data, there are IPS who does MIM ... while key is being exchange and before sending the packet back to the ... Also Note that for Header senitization, IPS vendors are having ...