Saturday, July 18, 2009

firewall-wizards Digest, Vol 39, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Firewall rules order and performance (Pierre Blanchet)


----------------------------------------------------------------------

Message: 1
Date: Fri, 17 Jul 2009 16:51:48 +0200
From: Pierre Blanchet <pierre.blanchet@exaprotect.com>
Subject: [fw-wiz] Firewall rules order and performance
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<696B00608E6AE441B0C3509B4652F789119DA8A100@artemis.ept.exaprotect.net>

Content-Type: text/plain; charset="us-ascii"

This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again, the number of rules has less effect on the performance.

I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the rules order but what about the others ? Google didn't give any information one way or the other.

--
Pierre Blanchet


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 39, Issue 6
***********************************************

No comments:

Post a Comment