Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suggestion for IDS

From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 28 Sep 2005 18:15:39 -0500
--On Wednesday, September 28, 2005 17:48:59 +0100 "Paul S. Brown" <pol () geekstuff tv> wrote: 


On Wednesday 28 September 2005 16:56, Michael Holstein wrote:

> If you NAT a lot, PIX can't handle the load.  It also isn't flexible
> enough.

Huh? .. the FWSM (which is PIX and you can have 4 of them in a chassis)
can handle 100 intefaces, 5gpbs, 100k CPS, and 1M concurrent per blade.

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/

Show me an OpenBSD system that can handle 400 interfaces, 20gbps, and 4M
connections (and can do HSRP, etc).

(I'm not trying to start an open-source "holy war" on a newsgrop .. I
use pf too, where I need the granularity -- just not on the whole
network).


I suspect the argument here has to be cost-for-cost - in the price range
for a  decent beefy OpenBSD box you aren't going to be using FWSMs, and I
can quite  believe that the PIXen in that price range don't perform - the
PIX 501 is  specced at 60MB/s throughput and the cheapest retail price I
can find for it  is $678 for the unlimited license version - for the same
money you can get a  beefy PC which will push quite a bit more than 60MB/s
$678? Ours were in the mid five figure range. You must be talking about SOHO units. 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: