>>[Livingston IRX description]
>Yep, the filtering is excellent. However, the rules are evaluated
>from the top down, so the most frequently used rules can be
>prioritised (eg. allow TCP packets from established
>connections); would this fix the "noticable slowdown"?
Yes and no. Yes, they're evaluated top-down, so you can do that
(and obviously should). But proper security design of the
filtering algorithm requires that you put exceptions at the
top, which will slow down handling non-excepted packets (which
are the majority at my site; we're pretty "open" though).
Much depends on your filter configuration requirements,
how much needs to be filtered and to what level of detail.
At least the IRX can technically handle the very detailed
filters.
We had one IRX handling 2 T-1's with a 25 rule filter and
keeping up as long as the lines were only half full, but it
seemed to noticably lag when they got more saturated.
Annoyingly, if you plug a 56k in it seems to slow it down
as much as a T-1.
-george william herbert
gwh @
crl .
com Speaking only for myself
References:
|
|
