Search This Blog

Wednesday, December 12, 2007

firewall-wizards Digest, Vol 20, Issue 8

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Question on Cisco ASA's... do all the features slow it
down? (jacob c)


----------------------------------------------------------------------

Message: 1
Date: Tue, 11 Dec 2007 14:22:22 -0800 (PST)
From: jacob c <jctx09@yahoo.com>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <666971.20905.qm@web54008.mail.re2.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

John,

My original reply based on the assumption that you were thinking about the ASA box because you wanted a UTM style box. If that is the case, my opinion is that Cisco is always behind the curve when it comes to their secuirty boxes. The ASA itself is a box itself that came out two years AFTER everyone else was already producing UTM appliances. Therefore, vendors, like Juniper and Fortinet have been a multi-function box for quite a while and they are very mature platforms. Also, you can't completely manage an ASA through the GUI. You will still have to learn lots of CLI.

All I'm saying, is that it shouldn't be that hard. Technology should be simpler once it's been around for a while and it is with other vendors. Please keep in mind that I am NOT anti-cisco. Feature for feature, they still make the best routers and switches around and their VoIP solution is pretty mature nowadays too. I just don't think much of their security appliances. I actually work for a consulting company and I sell/support all three vendor's appliances.

In the end, if you want a UTM style box, which is the current trend, research your options besides Cisco. This includes browing the Cisco-nsp forum as well and you will see enough validation for my claims.

Thanks,
Jacob

"John G." <isaac737@gmail.com> wrote:
greetings and salutations. peace to the nations.

well, i don't understand really what you mean by the packet sizes and first match vs. last match. i am more a firewall apprentice than firewall wizard.

what i can definitely agree with is the performance data that a certain company from the Bay Area says their firewalls can do around 200 Megabits/second. we are seeing 80% CPU load on the firewall (watched via Nagios and Cacti) when we push around 10 Megabits/second.

how is this even a useful metric is my question? 200 Megabits/second with a default ALLOW ANY to ANY ruleset on both in and out?? :P

-jg

On Dec 10, 2007 9:42 PM, Carson Gaspar < carson@taltos.org> wrote:
jacob c wrote:
> 1) Firewall performance figures from all vendors are highly overrated on
> the datasheets.


If you want to get a certain firewall company to complain to your senior
management that you're being "mean" and try and get you fired, demand 64
byte packet last-match performance numbers (as opposed to the 1500+ byte
first match numbers they'll try and give you). Also be very careful to
ask about behaviour when this limit is exceeded. It was very informative
to see which vendors were packet rate limited and which were bit rate
limited. The performance scaling with ruleset size was also interesting.
Sadly I don't know of any vendors that publish this data openly. I do
know that you can tell a good one by their reaction when you ask for it.

(And, no, I'm not making this up. But I'll refrain from naming names
since they can afford to sue me out of existence.)

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



---------------------------------
Never miss a thing. Make Yahoo your homepage.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071211/69419124/attachment-0001.html


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 20, Issue 8
***********************************************

No comments: