Educause Security Discussion mailing list archives
Cisco IOS Firewall CPU resource needs
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Fri, 5 Nov 2010 13:41:03 +0000
We've been using the Cisco IOS firewall feature set to inspect FTP traffic and open dynamic holes in our default deny policy enforced by ACLs. It has worked well for the past four years and router CPU has been running around 20% at full traffic load. We recently changed our topology to include interfaces from National LambdaRail. When we try to activate that new topology, router CPU utilization maxes out. If the IOS FW inspection rule is deleted, CPU utilization returns to normal. We temporarily saw similar symptoms last summer when we switched Internet providers but simply disabling and re-enabling the inspection made the problem go away. No such luck this time. Cisco is telling us that high CPU utilization is a characteristic of the IOS FW feature and that we should upgrade to ASA or FWSM. My objection is that it has been working fine using low CPU cycles for the past four years with almost identical traffic. In addition, my understanding is that only the selected traffic is inspected which in our case consists only of FTP traffic and that volume is low. Finally, I would assume that only the FTP control channel on port 21 needs to be inspected because all the port information needed by the feature set to determine what dynamic ports to open is contained on the control channel. Since control channel traffic is made up of low volume, well defined ASCII command sets and response codes I don't understand how this could present significant CPU challenges. We had originally been inspecting traffic on both the inside and outside interfaces. With the new connections, we tried inspecting on all interfaces (the new ones having almost no traffic) and when we ran into the CPU problem, tried inspecting on only the inside interface with all ACL on that interface. It did not help the problem. We're running around 500Mb of total traffic through a 7600 series router. Is anyone else using the IOS Firewall feature set and if so, can you comment on your experience with performance? We are looking at options to upgrade our firewall technology but we'd rather do that in a designed manner rather than as a fix to a problem that has suddenly arisen in a product that has previously worked fine and seems, according to published documentation, not to be working as expected. Thanks for any information. -- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description:
Current thread:
- Cisco IOS Firewall CPU resource needs Flynn, Gary - flynngn (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Josh Richard (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Flynn, Gary - flynngn (Nov 05)
- Re: Cisco IOS Firewall CPU resource needs Josh Richard (Nov 05)