Re: [fw-wiz] Question on Cisco ASA's... do all the features slow it down?



John G. wrote:

well, i don't understand really what you mean by the packet sizes and
first match vs. last match. i am more a firewall apprentice than
firewall wizard.

A vendor says "we support 1 Gb/sec"

Packet sizes (with silly numbers):

If you have 128 MB (1 Gb) packets, the firewall has to process 1 packet
If you have 1 B packets, the firewall has to process 1073741824 packets

Assuming per-packet overhead is non-zero, those a _hugely_ different
numbers. Of course in reality the values vary between 64 and 1500 bytes,
not 1 and 134217728 bytes.

Rule sizes (related to the above):

Matching a single "permit any any" rule takes some (minimal) time.
Matching a 10,000 entry rule set where the "permit" entry that matches
your packets is last takes some, possibly greater, amount of time,
especially if the firewall has a naive linear rule application algorithm.

In general, you find that:

- Firewalls have a packet rate limit caused by their per-packet
processing overhead. In some cases this is related to their ruleset
size. In most cases this is related to the number of existing connections.

- Firewalls have a new session rate limit caused by their connection
setup overhead. This is almost always related to their rule set size,
although there are exceptions - Lucent had O(1) (constant time) ACL
processing on some of their routers, thanks to some fun math from their
researchers.

- Firewalls have a bit-rate limit caused by hardware platform limits,
but these limits are almost _never_ reached in real life.

--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
    (comp.security.firewalls)
  • Re: port 80 is open
    ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
    (comp.security.firewalls)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)