[RE: [nsp] PIX ASA v. ACL]

Joshua Sahala joshua.ej.smith at usa.net
Thu May 22 13:24:52 EDT 2003 

stephen gill has written some stuff on this (or at least something
similar):
http://www.qorbit.net/documents/maximizing-firewall-availability.pdf
http://www.qorbit.net/documents/maximizing-firewall-availability.htm

if i remember correctly, some of the 'bugs' he discusses have been
fixed, but i think it may help to answer your questions mourad

/joshua

"Scott Morris" <swm at emanon.com> wrote:
> You choose the appropriate box based on the throughput you're planning
> to have.  Like any other engineering choice! 
> 
> I haven't heard too much about overloaded boxes, but logic would say
> that it wouldn't pass the initial check procedures and therefore would
> be dropped.  Any of the mechanisms within the PIX, if they fail, the
> default is to NOT allow traffic to flow.  This may cause difficulties
> for some people, but being a firewall, security is the "important" part
> of its job.
> 
> The tests I've seen done have to do with failover performance, and even
> in that state for hundreds of thousands of connections, only a miniscule
> amount were dropped (nothing inadvertantly passed through).
> 
> Scott
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mourad BERKANE
> Sent: Thursday, May 22, 2003 5:06 AM
> To: 'swm at emanon.com'
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] PIX ASA v. ACL
> 
> 
> 
> >> The PIX is actually software, not hardware.
> 
> What will happen in case of overload traffic on a PIX?
> 
> We know what will happen in case of using ACLs on a cisco router:
> increase of CPU, reboot, ...
> 
> Is there a secure mechanism implemented on a PIX (or in a FW in general)
> who could control the traffic load and guarantee a service minimum of
> filtering?
> 
> I never test it then it will be nice to get some experiences on this
> issue.
> 
> Mourad
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

More information about the cisco-nsp mailing list