RE: Comparisons between Router ACLs and Firewalls

[Paul Robertson <proberts () patriot net>]

On Sat, 3 Jan 2004, Marcus J. Ranum wrote:

> I've never found any good studies of ACL performance. Do you have any
> references you can point us to?

Cisco used to publish some "can do $foo access lists without impact" stuff
with certain models.  If we're lucky, maybe Brian will see this and post
some pointers.

The not-normal-ACL stuff carries a heavy penalty - as the extended ACL
stuff does if you want silicon switching- I did a whole look at the
switching methods versus performance stuff a while back when writing
TruSecure's router essential config guide- and for almost everything (AIR,
there were two cards on one model where things sucked) you didn't get into
trouble until you had more rules than sense.  I think I left most of the
switching mode stuff out of the document in the end, because it just
confused people.

Now, send packets *to* the router, or send packets where the router has to
go to CPU land to process them, and things get significantly different
(which is why you really want to ACL off your routers from the rest of the
world.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards