[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       Nick Simicich <njs () scifi ! squawk ! com>
Date:       1997-07-03 17:28:42
[Download RAW message or body]

One client reported enormous degredation on high volume applications with
even one filter rule.

On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote:

> Date: Thu, 3 Jul 1997 08:42:35 -0300
> From: Fernando da Silveira Montenegro <montenegro@nutec.com.br>
> To: Firewalls@GreatCircle.COM
> Subject: IP Filters?
> 
>  Hello all!
> 
> What seems to be the general consensus on how many filtering rules one can
> configure on a router without imposing a noticeable performance penalty:
> 10? 50? 100?
> 
> I know it probably varies  wildly with the equipment you use (2501 x 7500,
> for instance), but is anybody running a Cisco 4000 with more than, say,
> 100 rules for each filter applied to an interface? The router has 8MB, and
> is talking two T1s (bonded, no multihoming).
> 
> We plan to tighten up our environment a bit (too many DoS attacks for our
> liking), and are considering also stricter filters on our terminal servers
> (PortMaster2 units from Livingston). Same question applies: how many
> filters on a 1MB PM2?
> 
> The problem is that the environment being protected is an ISP, so the
> typical "block unless needed" stance doesn't apply.
> 
> Thanks in advance. I'll summarize later if there's interest.
> 
> Regards,
> Fernando
> 
> ObFirewall: Filtering is one element of our security architecture, which
> is migrating to a secure subnet protected by app.level firewall, and is,
> as usual, the first line of defense.
> --
> Fernando da Silveira Montenegro     Nutec Informatica
> System/Network Administrator        Sao Paulo, SP, BRAZIL
> mailto:montenegro@nutec.com.br      http://www.nutecnet.com.br
> voice.:+55-11-5505-5728             #include <disclaimer.h>
> 
> 
> 

Of course my password is the same as my pet's name.  
My macaw's name was Q47pY!3, but I change it every 90 days.
Nick Simicich mailto:njs@scifi.squawk.com or (last choice) mailto:njs@us.ibm.com
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!

[prev in list] [next in list] [prev in thread] [next in thread]