Firewall Wizards mailing list archives
RE: Comparisons between Router ACLs and Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 03 Jan 2004 18:11:00 -0500
Bill James wrote:
this is based on experience over the years and having clients wanting to run IP Inspect and ACL on the same 1720 router with 8mb flash and 32mb ram and a high volume link...On this particular site NAT is running, there are about 20 full-time PPTP users passing through to a MS server and approx. 15 permits in the ACL's with the customary deny all at the end
I wonder if that's a typical mix. It'd be really cool if we could actually say things like "running NAT on a blah blah where the processor hits x% we measured a performance impact of y on a mix of 70/20/10 web/email/other traffic." There's a lot of intangibles but - well - I wish there were fewer! :)
On a typical day this router runs at 50 to 75 percent processor...(I know....I have explained to the customer the need to upgrade the router)
It sure would be neat if someone actually studied some of this stuff and did a whitepaper on the downstream performance effects of router load. That's what bugs me about all this stuff. We can sit here and say "the router is running at 50% processor" but what does that *MEAN* in terms of thruput? We security geeks have had performance played as a card against security over and over and over as long as I've been working this beat. I've seen many organizations that should know better leave important systems wide open because the router geeks blew "the performance impact of ACLs" in some manager's ear and security went out the window. I don't know how to beat it, but I bet some hard numbers would help a lot. With the antivirus thing you can usually get by with a rule of thumb like "antivirus will cost you 2% of your CPU performance" and most people will buy it and stop blowing performance smoke on that topic. So, whenever someone talks about ACL performance I ask them if they have any hard numbers. I'm still looking... :) Anyone on the list looking for a topic for a LISA paper? mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Comparisons between Router ACLs and Firewalls sd2mcleo (Jan 01)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Message not available
- RE: Comparisons between Router ACLs and Firewalls Marcus J. Ranum (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Wes Noonan (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)
- Re: Comparisons between Router ACLs and Firewalls David Pick (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Mark Gumennik (Jan 05)
- RE: Comparisons between Router ACLs and Firewalls Paul Robertson (Jan 03)
- RE: Comparisons between Router ACLs and Firewalls Bill James (Jan 03)