[nsp] PIX ASA v. ACL

Scott Morris swm at emanon.com
Thu May 22 12:33:19 EDT 2003


You choose the appropriate box based on the throughput you're planning
to have.  Like any other engineering choice! 

I haven't heard too much about overloaded boxes, but logic would say
that it wouldn't pass the initial check procedures and therefore would
be dropped.  Any of the mechanisms within the PIX, if they fail, the
default is to NOT allow traffic to flow.  This may cause difficulties
for some people, but being a firewall, security is the "important" part
of its job.

The tests I've seen done have to do with failover performance, and even
in that state for hundreds of thousands of connections, only a miniscule
amount were dropped (nothing inadvertantly passed through).

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mourad BERKANE
Sent: Thursday, May 22, 2003 5:06 AM
To: 'swm at emanon.com'
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] PIX ASA v. ACL



>> The PIX is actually software, not hardware.

What will happen in case of overload traffic on a PIX?

We know what will happen in case of using ACLs on a cisco router:
increase of CPU, reboot, ...

Is there a secure mechanism implemented on a PIX (or in a FW in general)
who could control the traffic load and guarantee a service minimum of
filtering?

I never test it then it will be nice to get some experiences on this
issue.

Mourad
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list