Re: Cisco IOS Firewall CPU resource needs

["Flynn, Gary - flynngn" <flynngn () JMU EDU>]

-----Original Message-----
From: Josh Richard <jrichar4 () D UMN EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date: Fri, 5 Nov 2010 09:55:00 -0500
To: <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Cisco IOS Firewall CPU resource needs

> Hi Gary,
>
> Is the ordering of the IOSFW rules sane?


Hi Josh,


There really aren't any IOSFW rules except the inspection rules on the
interfaces and the global one telling it to inspect only FTP traffic.

As far as the ACLs, I'm sure they could be improved but I'm not sure how
that affects the CPU. Aren't CPU cycles primarily taken up by inspection
of the traffic to determine when a dynamic ACE needs to be added to allow
the data channel traffic? I wouldn't think insertion of the ACE would be
the operation that takes up the CPU but who knows. Some folks would
certainly say we have long ACLs...something like 1200 ACEs on the inbound
list and 800 ACEs on the outbound list. Whether they're sane or not
depends somewhat on the eye of the beholder and their opinion on border
access controls. :)



>  Do you have an ip any any
> established rule?

Yes.

>  Did cisco provide a rationale for why the ASA/FWSM
> would be better?

Because the functionality would no longer be processed in software. All
IOS FW inspection is done in software. My argument is that it has been
processed fine in software for the past four years with similar traffic
with no problems. And only traffic specified by the configuration (in our
case FTP) is inspected. Netflow information is used to determine what
traffic to forward to the inspection process.


-- 
Gary Flynn

Security Engineer
James Madison University

Attachment: smime.p7s
Description: