Re: Question on Cisco ASA's... do all the features slow it down?

[Carson Gaspar <carson () taltos org>]

John G. wrote:

> well, i don't understand really what you mean by the packet sizes and 
> first match vs. last match.  i am more a firewall apprentice than 
> firewall wizard.

A vendor says "we support 1 Gb/sec"

Packet sizes (with silly numbers):

If you have 128 MB (1 Gb) packets, the firewall has to process 1 packet
If you have 1 B packets, the firewall has to process 1073741824 packets

Assuming per-packet overhead is non-zero, those a _hugely_ different 
numbers. Of course in reality the values vary between 64 and 1500 bytes, 
not 1 and 134217728 bytes.

Rule sizes (related to the above):

Matching a single "permit any any" rule takes some (minimal) time. 
Matching a 10,000 entry rule set where the "permit" entry that matches 
your packets is last takes some, possibly greater, amount of time, 
especially if the firewall has a naive linear rule application algorithm.

In general, you find that:

- Firewalls have a packet rate limit caused by their per-packet 
processing overhead. In some cases this is related to their ruleset 
size. In most cases this is related to the number of existing connections.

- Firewalls have a new session rate limit caused by their connection 
setup overhead. This is almost always related to their rule set size, 
although there are exceptions - Lucent had O(1) (constant time) ACL 
processing on some of their routers, thanks to some fun math from their 
researchers.

- Firewalls have a bit-rate limit caused by hardware platform limits, 
but these limits are almost _never_ reached in real life.

-- 
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards