Firewalls: Re: Packet filtering overhead

Firewalls
(July 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Packet filtering overhead
From:	quent . johnson @ intellistor . com (Quentin Johnson)
Date:	Wed, 6 Jul 94 08:58:36 MDT
To:	firewalls @ greatcircle . com

 david @
 capmkt .
 com asked:

>What is the packet filtering overhead for a router?

I've heard people mention that access lists impose a significant overhead;
the box is so much faster than 56Kbps or T1 speeds that it doesn't matter.

>My colleague was not convinced, and feels that the filtering 
>overhead alone slows up a router so much that a dual-homed gateway 
>is thus the better firewall.

Either way, something has to look at packets to enforce a security policy
and endure some overhead.

Some don't like to put all their eggs in one basket and use both a router
and a gateway.  Most security schemes (banks, military facilities,...) use
a layered approach.

	Quent Johnson

Follow-Ups:

Re: Packet filtering overhead
From: tdn @ tdn . xyplex . com (Thomas D. Nadeau)

Indexed By Date	Previous:	Router Configs for Firewalls FAQ From: Allen Leibowitz <leibowa @ wl . com>
Indexed By Date	Next:	Re: Faking source address on TCP packets From: quent . johnson @ intellistor . com (Quentin Johnson)
Indexed By Thread	Previous:	Re: Packet filtering overhead From: dotytr @ nscultrix2 . network . com (Ted Doty)
Indexed By Thread	Next:	Re: Packet filtering overhead From: tdn @ tdn . xyplex . com (Thomas D. Nadeau)