firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: OpenBSD pf users? (Wim Lamotte)
2. Re: OpenBSD pf users? (ArkanoiD)
3. Re: Question on Cisco ASA's... do all the features slow it
down? (Carson Gaspar)
----------------------------------------------------------------------
Message: 1
Date: Wed, 12 Dec 2007 16:32:14 +0100
From: "Wim Lamotte" <Wim.Lamotte@UHasselt.be>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <03d101c83cd4$2bb821c0$83286540$@Lamotte@UHasselt.be>
Content-Type: text/plain; charset="us-ascii"
Hi all,
Thanks for all the feedback, it's much appreciated!
To Robby: yes, we do have *nix wizards (and luckily more than one, so
leaving is not that much of an issue). We are running OpenVPN for some time
now (we're cutting the SecureClient users off before the end of the year,
because OpenVPN is much more flexible). We're also experienced in setting up
monitoring with mrtg, cacti, etc. In summary, I think we can do most of the
stuff you say with our eyes closed. ;-)
Regarding SmartDefense and content inspection: this is indeed something we
would lose in our transition to pf. But nothing prevents us from adding
application proxies, of course.
To Matthew: our PPS and throughput requirements are relatively moderate,
mostly since our outside line is rather limited (8 Mbps). As far as we have
seen from pf documentation and fora, the performance is way beyond our
needs. Thanks for the links to the pf fora.
To Paul: it's good to hear that we're not the only ones doing the transition
from CP FW-1 to pf! ;-)
Thanks again,
Wim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071212/dfa1232f/attachment-0001.html
------------------------------
Message: 2
Date: Thu, 13 Dec 2007 04:38:42 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] OpenBSD pf users?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071213013842.GA29933@eltex.net>
Content-Type: text/plain; charset=koi8-r
Well, though pf is clearly the best packet filter implementation, i
suggest using a set of application proxies atop of it ;-)
On Sun, Dec 09, 2007 at 03:33:44PM +0100, Wim Lamotte wrote:
>
> I was wondering if any of the fw-wiz members is currently using the pf
> firewall on OpenBSD. We are considering this platform as an alternative to
> our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which we
> have had many problems (cluster not stable, SIP traversal problems,
> SmartDefense unpredictable, high license costs, ...)
>
> If anyone has evaluated the OpenBSD pf platform in the past, and concluded
> that there were good reasons not to use it, I would also be very interested
> to know what these reasons were.
------------------------------
Message: 3
Date: Wed, 12 Dec 2007 16:29:13 -0800
From: Carson Gaspar <carson@taltos.org>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <47607CD9.8020102@taltos.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
John G. wrote:
> well, i don't understand really what you mean by the packet sizes and
> first match vs. last match. i am more a firewall apprentice than
> firewall wizard.
A vendor says "we support 1 Gb/sec"
Packet sizes (with silly numbers):
If you have 128 MB (1 Gb) packets, the firewall has to process 1 packet
If you have 1 B packets, the firewall has to process 1073741824 packets
Assuming per-packet overhead is non-zero, those a _hugely_ different
numbers. Of course in reality the values vary between 64 and 1500 bytes,
not 1 and 134217728 bytes.
Rule sizes (related to the above):
Matching a single "permit any any" rule takes some (minimal) time.
Matching a 10,000 entry rule set where the "permit" entry that matches
your packets is last takes some, possibly greater, amount of time,
especially if the firewall has a naive linear rule application algorithm.
In general, you find that:
- Firewalls have a packet rate limit caused by their per-packet
processing overhead. In some cases this is related to their ruleset
size. In most cases this is related to the number of existing connections.
- Firewalls have a new session rate limit caused by their connection
setup overhead. This is almost always related to their rule set size,
although there are exceptions - Lucent had O(1) (constant time) ACL
processing on some of their routers, thanks to some fun math from their
researchers.
- Firewalls have a bit-rate limit caused by hardware platform limits,
but these limits are almost _never_ reached in real life.
--
Carson
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 20, Issue 9
***********************************************
No comments:
Post a Comment