[cisco-bba] Per-User firewall feature

Andy Schutz (aschutz) aschutz at cisco.com
Mon Aug 25 18:09:50 EDT 2003


I've put some comments inline in regards to this...

> -----Original Message-----
> From: cisco-bba-bounces at puck.nether.net 
> [mailto:cisco-bba-bounces at puck.nether.net] On Behalf Of Arie Vayner
> Sent: Monday, August 25, 2003 4:06 PM
> To: cisco-bba at puck.nether.net
> Subject: [cisco-bba] Per-User firewall feature
> Hi
> Does someone deploy such a service for SOHO/home users?

Cisco does have customers that have put this in their network as a
service to their customers.  This could be used for any type of user
that terminates on a BB aggregation router that has the firewall feature
set loaded.  So, PPPoX users, 1483 routed, RBE, etc. users all can use

To answer who would buy this service, I believe the less experienced
user would be targeted.  While this may not always be true but a user
that has enough knowledge to ask for a "firewall" and in turn specify
which protocols/applications they want inspected would more than likely
buy a firewall product and employ it themselves.  I think that a service
provider could sell this to the average user for x$ a month to provide a
"firewall" for each user and protect against DoS attacks, etc.  

> What kind of policies would you create? How many pre-defined packages?

Since this would be applied generally, I think you could probably
account for the needs of 95% of the subscribers with a simple firewall
that inspects just TCP and UDP traffic.  Users who subscribe to this
service just want to be protected and more than likely won't be asking
for protection on an application level (examples: NetMeeting/H.323, r
commands for Unix, etc).  However, if one wants, further customization
beyond standard TCP and UDP inspection could be employed but this could
create provisioning headaches if one starts to have many firewall rule

> Any insights using such a feature on 7400's?

CBAC is not PXF enabled so packets traversing an interface with CBAC
enabled that were to be inspected would be punted to the RP.  Obviously
the feature will still work in this case, it is just CPU dependant as
opposed to PXF enabled features.  The combination of the number of
subscribers and traffic/subscriber will determine your CPU usage. 

Hope that helps.



> Arie
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba

More information about the cisco-bba mailing list