[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: RE: IP Filters?
From: "Stackpole, Bill" <BSTACKPO () sla ! com>
Date: 1997-07-03 9:55:16
[Download RAW message or body]
I've never build an access list with more than 50 entries and I've never
noticed any significant performance problems
even on a 2500 series. There are some techniques you can use to speed
up access list processing. Remember a Cisco list is exited on the first
true so you can add lines like:
! TCP or UDP Ports above the last service you are permiting
! this is done to speed up the list processing
access-list 101 deny tcp any host 255.255.255.255 gt 80
access-list 101 deny udp any host 255.255.255.255 gt 19
just before all the specific rules to speed up list processing.
"Simplify - There is no value in complexity, it's too difficult to
manage."
Bill Stackpole, CISSP
Seitel Leeds & Associates Voice: 206.283.4355
2 Nickerson St. Suite 201 Email: bstackpole@sla.com
Seattle, Wa 98109
> -----Original Message-----
> From: Fernando da Silveira Montenegro [SMTP:montenegro@nutec.com.br]
> Sent: Thursday, July 03, 1997 4:43 AM
> To: Firewalls@GreatCircle.COM
> Subject: IP Filters?
>
> Hello all!
>
> What seems to be the general consensus on how many filtering rules one
> can
> configure on a router without imposing a noticeable performance
> penalty:
> 10? 50? 100?
>
> I know it probably varies wildly with the equipment you use (2501 x
> 7500,
> for instance), but is anybody running a Cisco 4000 with more than,
> say,
> 100 rules for each filter applied to an interface? The router has 8MB,
> and
> is talking two T1s (bonded, no multihoming).
>
> We plan to tighten up our environment a bit (too many DoS attacks for
> our
> liking), and are considering also stricter filters on our terminal
> servers
> (PortMaster2 units from Livingston). Same question applies: how many
> filters on a 1MB PM2?
>
> The problem is that the environment being protected is an ISP, so the
> typical "block unless needed" stance doesn't apply.
>
> Thanks in advance. I'll summarize later if there's interest.
>
> Regards,
> Fernando
>
> ObFirewall: Filtering is one element of our security architecture,
> which
> is migrating to a secure subnet protected by app.level firewall, and
> is,
> as usual, the first line of defense.
> --
> Fernando da Silveira Montenegro Nutec Informatica
> System/Network Administrator Sao Paulo, SP, BRAZIL
> mailto:montenegro@nutec.com.br http://www.nutecnet.com.br
> voice.:+55-11-5505-5728 #include <disclaimer.h>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic