'RE: IP Filters?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: IP Filters?
From:       "Stackpole, Bill" <BSTACKPO () sla ! com>
Date:       1997-07-03 9:55:16
[Download RAW message or body]

I've never build an access list with more than 50 entries and I've never
noticed any significant performance problems
even on a 2500 series.  There are some techniques you can use to speed
up access list processing.  Remember a Cisco list is exited on the first
true so you can add lines like:

	! TCP or UDP Ports above the last service you are permiting
	!   this is done to speed up the list processing
	access-list 101 deny   tcp any host 255.255.255.255 gt 80
	access-list 101 deny   udp any host 255.255.255.255 gt 19

just before all the specific rules to speed up list processing.

"Simplify - There is no value in complexity, it's too difficult to
manage."
Bill Stackpole, CISSP                             
Seitel Leeds & Associates          Voice: 206.283.4355
2 Nickerson St.  Suite 201        Email: bstackpole@sla.com
Seattle, Wa 98109

> -----Original Message-----
> From:	Fernando da Silveira Montenegro [SMTP:montenegro@nutec.com.br]
> Sent:	Thursday, July 03, 1997 4:43 AM
> To:	Firewalls@GreatCircle.COM
> Subject:	IP Filters?
> 
>  Hello all!
> 
> What seems to be the general consensus on how many filtering rules one
> can
> configure on a router without imposing a noticeable performance
> penalty:
> 10? 50? 100?
> 
> I know it probably varies  wildly with the equipment you use (2501 x
> 7500,
> for instance), but is anybody running a Cisco 4000 with more than,
> say,
> 100 rules for each filter applied to an interface? The router has 8MB,
> and
> is talking two T1s (bonded, no multihoming).
> 
> We plan to tighten up our environment a bit (too many DoS attacks for
> our
> liking), and are considering also stricter filters on our terminal
> servers
> (PortMaster2 units from Livingston). Same question applies: how many
> filters on a 1MB PM2?
> 
> The problem is that the environment being protected is an ISP, so the
> typical "block unless needed" stance doesn't apply.
> 
> Thanks in advance. I'll summarize later if there's interest.
> 
> Regards,
> Fernando
> 
> ObFirewall: Filtering is one element of our security architecture,
> which
> is migrating to a secure subnet protected by app.level firewall, and
> is,
> as usual, the first line of defense.
> --
> Fernando da Silveira Montenegro     Nutec Informatica
> System/Network Administrator        Sao Paulo, SP, BRAZIL
> mailto:montenegro@nutec.com.br      http://www.nutecnet.com.br
> voice.:+55-11-5505-5728             #include <disclaimer.h>
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic