Great Circle Associates Firewalls
(July 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Packet filtering overhead
From: dotytr @ nscultrix2 . network . com (Ted Doty)
Date: Wed, 6 Jul 94 13:26:11 CDT
To: david @ capmkt . com, firewalls @ greatcircle . com

> What is the packet filtering overhead for a router?
 
Depends on the router.  The Network Systems routers run at
about 11,500 pps with 200 small filters active.  Other vendors
perform at different rates.

It also depends on what you mean by a "filter".  Obviously, the
more you do in the filter, the longer your code path.  Again, this
will vary between vendors.

> Let's use a Cisco as an example.  I want to know
> (roughly) what the performance degradation would be
> for simple and complex filter sets (as compared to
> no filtering whatsoever).
 
Define the services you would like filtered, and we vendors can
begin to answer this.  I'm not trying to weasel out of the question,
it's just that you asked the equivalent of "What's the performance
difference between a simple program and a complex program?"

> Why?  A colleague of mine has a dual-homed gateway, and I was
> talking up the virtues of a bastion/packet filtering approach.
> My colleague was not convinced, and feels that the filtering
> overhead alone slows up a router so much that a dual-homed gateway
> is thus the better firewall.

I would argue that filtering performance (at least on OUR routers)
is quite fast.  Filtering routers and firewall hosts perform different
functions, so are complimentary, rather than competators.

- Ted
--------------------------------------------------------------------------
Ted Doty, Network Systems Corporation | phone:      +1 301 596-2270
8965 Guilford Road, Suite 250         | fax:        +1 410 381-3320
Columbia, MD, 21046 USA               | voice mail: (800) 233-1485
--------------------------------------------------------------------------
if (setsockopt(sockfd, SOL_SOCKET, STD_DISCLAIMER, (char *), &sendbuff,
    &optlen) < 0)
printf ("Standard Disclaimers Apply ...\n");

Indexed By Date Previous: firewall training classes
From: Richard Deal <deal @ xi . cs . fsu . edu>
Next: Re: DNS w/o NIS W/C2
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Indexed By Thread Previous: Re: Packet filtering overhead
From: mark @ escact . ksc . nasa . gov (Mark E. Gibbons)
Next: Re: Packet filtering overhead
From: quent . johnson @ intellistor . com (Quentin Johnson)

Google
 
Search Internet Search www.greatcircle.com