[c-nsp] External Firewall

Fred Reimer freimer at ctiusa.com
Mon Mar 24 16:09:04 EDT 2008 

So the root question is why a Cisco 7200 router would perform better than a
PC running BSD, beefy as that PC may be?

Without questioning the merits behind spending time on this I'm not sure
what benefit a firewall would provide.  Exactly what are you looking for the
firewall to do?  You wanted to see "how it performs" with the firewall in
various locations.  Doing what?

Sorry I can't be of more help.  I understand what you are trying to find
out, but not what a firewall has to do with it.  You could possibly put a
firewall before and/or after in transparent mode.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: Sridhar Ayengar [mailto:ploopster at gmail.com] 
Sent: Monday, March 24, 2008 3:12 PM
To: Fred Reimer
Cc: Masood Ahmad Shah; Cisco NSPs
Subject: Re: [c-nsp] External Firewall

Fred Reimer wrote:
> Why, exactly?  Performance of the firewall?

Yes.  I have two identical networks setup for one company in two 
different locations.  One has a Cisco router (said 7200) talking 
upstream to a big WAN pipe and downstream to two gigabit ethernet 
networks.  The second location has the same WAN and LAN configuration, 
WAN line distance and quality measurement numbers, etc.  The only 
difference it is a BSD PC.  The Cisco performs noticeably and measurably 
better in latency and throughput.  Neither is running firewall code.

Now, the BSD PC has gobs more processor horsepower, memory- and 
bus-bandwidth.  Why should the Cisco outperform it?

To find out, I wanted to set up a selection of scenarios in the lab. 
(1) I wanted to try setting up the firewall between the "internal" 
gigabit network and the 7200.  (2) I then wanted to setup the firewall 
between the WAN interface and the router to see how that performs.  (3) 
I wanted to setup what I described in my original message, with the 
firewall performing only stateful inspection functions, and allowing the 
router to perform packet switching functions without interference from 
the firewall once the session is operating.

As far as I can see, the advantage of (1) is that traffic heading to the 
"external" gigabit LAN wouldn't come across the firewall PC.  However, 
the disadvantage would be that traffic between the two LANs would have 
to pass through it.  That might be unacceptable.

The advantage of (2) might be that traffic between the "internal" and 
"external" LANs wouldn't come near the firewall PC.  Also, the WAN pipe 
may not require the throughput advantage of the Cisco.  (It may indeed, 
but it might not be as sensitive.)  However, this does add a couple 
dozen ms to the latency of the upstream connection.

As far as I can tell, (3) would be the best of both worlds, but I, for 
the life of me, can't figure out if there's a way to set a network up 
like that.

Any ideas?

Peace...  Sridhar

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar Ayengar
> Sent: Monday, March 24, 2008 1:31 PM
> To: Masood Ahmad Shah
> Cc: 'Cisco NSPs'
> Subject: Re: [c-nsp] External Firewall
> 
> Masood Ahmad Shah wrote:
>> Normally people would put like show below..
>>
>> WAN-Router<--------->Firewall<------>LAN-Switch
> 
> That's what I was hoping to avoid.
> 
> Peace...  Sridhar
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080324/61a48229/attachment-0001.bin

More information about the cisco-nsp mailing list