[c-nsp] firewall w/ >1Gbps interfaces

Adam Greene maillist at webjogger.net
Thu Nov 3 17:21:06 EST 2005 

[posting this back to the list w/ Andris's permission]

Thanks Andris.

We'll definitely need to terminate VPNs, and my understanding is that the
3750's won't do that. That's one of the main reasons I'm considering a 2800
or ASA 5510. But you're right about trying to define what we mean by a
'firewall'. Basically my reasoning has been that I'd like to provide some
additional security on port 80/443 into the webserver, and I was thinking
the ASA 5510 might be able to help out with application-level filtering. I
was also thinking that the customer may want some additional security
features later on, so an ASA 5510 would offer room to grow, no matter what
direction the customer might go in.

Unfortunately, I don't have an ASA 5510 to play with in the lab to really be
sure that it could do anything more than act as a stateful packet filter so
to speak, with the stateful part perhaps even being a drawback due to the
DoS implications. But according to Cisco, the ASA 5510 might even be able to
mitigate those as well, with its new "Anti-X" services, which would
admittedly cost an extra $3000 to implement (they require an AIP SSM).

I appreciate your help,
Adam


----- Original Message ----- 
From: "Andris Zarins" <andris.zarins at microlink.lv>
To: "Adam Greene" <maillist at webjogger.net>
Sent: Thursday, November 03, 2005 11:25 AM
Subject: RE: [c-nsp] firewall w/ >1Gbps interfaces


If all you need is some packet filtering - 3750 can do it easily. On
3750 ACLs are processed in hardware and this should not give any stress
to box CPU.

If you are thinking about placing some 28xx in front of 3750 - my advice
- don't do it. If you need pure IP forwarding with some ACLs applied -
switch can offer superior performance compared with 28xx. You should
think about some router device if you need some features that switch
don't support in hardware/at-all, like NAT, MPLS, non-ethernet
interfaces and so on.

P.S. - first thing to do is (after writing security policy) to define
what do you mean with 'firewall' - what functions it should do, and only
then look for device that could do those things with optimal
price/performance ratio. Firewalls at such speeds are very expensive,
like 7600 with firewall blade.

Hope that helps,
Andris


---
[This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]

More information about the cisco-nsp mailing list