Great Circle Associates Firewalls
(July 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Packet filtering overhead
From: Luther Garcia <luth @ stealth . sprintlink . net>
Date: Tue, 5 Jul 1994 22:22:33 -0400 (EDT)
To: david @ capmkt . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: <9407052351 . AA17478 @ yen . capmkt . com>

	That depends upon a number of things, like volume of traffic in
router's network, and type of CISCO you have.  A 7000 for example with
on a net with heavy traffic and 16MB mem, and at least 4MB flash, would
do the job quite nicely, with virtually no noticable performance hits.
Unfortunately, a 7000 is about 80k.  I would say, that no matter what 
model of CISCO you have, you should try with the most detailed packet
filtering configuration you can, and go from there, gradually decrease
packet filtering to acceptable perfomance limits if necessary, and consider
an upgrade in memory, and flash.


____________________________________________________________________________
Luther S. Garcia					|"I am."
US SPRINT						| 
Sprintlink Engineering/Development			| 
Herndon, VA.						|
luth @
 sprintlink .
 net					|
______________________________________________________________________________

On Tue, 5 Jul 1994 david @
 capmkt .
 com wrote:

> What is the packet filtering overhead for a router?
> 
> Let's use a Cisco as an example.  I want to know
> (roughly) what the performance degradation would be
> for simple and complex filter sets (as compared to
> no filtering whatsoever).
> 
> Why?  A colleague of mine has a dual-homed gateway, and I was
> talking up the virtues of a bastion/packet filtering approach.
> My colleague was not convinced, and feels that the filtering 
> overhead alone slows up a router so much that a dual-homed gateway 
> is thus the better firewall.
> 
> All comments and opinions cheerfully accepted.
> 
> -------------------------------------------------------------------
> David Mostardi                              Email: david @
 capmkt .
 com
> Network & Systems Administrator             Phone: (510) 540-6400	
> Capital Market Technology, Inc.               FAX: (510) 540-5505
> 1995 University Ave. #390, Berkeley CA 94704
> 


Follow-Ups:
References:
Indexed By Date Previous: Packet filtering overhead
From: david @ capmkt . com
Next: Faking source address on TCP packets
From: "Rob Tanner" <tanner @ george . arc . nasa . gov>
Indexed By Thread Previous: Packet filtering overhead
From: david @ capmkt . com
Next: Re: Packet filtering overhead
From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)

Google
 
Search Internet Search www.greatcircle.com