[c-nsp] External Firewall

Church, Charles cchurc05 at harris.com
Mon Mar 24 16:53:24 EDT 2008


Sridhar,

	The Cisco is faster because it's designed from the ground up to
route traffic.  Not so with the BSD box.  You could probably spend
months looking at drivers, tuning the kernel, etc to improve it, but
still not match the 7200.  It's more than just CPU power.  Depending on
the platform, you might be able to policy route TCP syn/syn acks to the
FW, and once it's established (assuming FW lets it), it can resume
through the Cisco only.  You're losing the benefit of a stateful
firewall at this point though, since the state isn't being monitored
anymore.  Seems like a couple firewalls with throughput to match your
WAN should be enough.  If you're willing to lose the stateful firewall
capability, a simple packet filtering switch would do, and at line rate.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar Ayengar
Sent: Monday, March 24, 2008 3:12 PM
To: Fred Reimer
Cc: Cisco NSPs
Subject: Re: [c-nsp] External Firewall


Fred Reimer wrote:
> Why, exactly?  Performance of the firewall?

Yes.  I have two identical networks setup for one company in two 
different locations.  One has a Cisco router (said 7200) talking 
upstream to a big WAN pipe and downstream to two gigabit ethernet 
networks.  The second location has the same WAN and LAN configuration, 
WAN line distance and quality measurement numbers, etc.  The only 
difference it is a BSD PC.  The Cisco performs noticeably and measurably

better in latency and throughput.  Neither is running firewall code.

Now, the BSD PC has gobs more processor horsepower, memory- and 
bus-bandwidth.  Why should the Cisco outperform it?

To find out, I wanted to set up a selection of scenarios in the lab. 
(1) I wanted to try setting up the firewall between the "internal" 
gigabit network and the 7200.  (2) I then wanted to setup the firewall 
between the WAN interface and the router to see how that performs.  (3) 
I wanted to setup what I described in my original message, with the 
firewall performing only stateful inspection functions, and allowing the

router to perform packet switching functions without interference from 
the firewall once the session is operating.

As far as I can see, the advantage of (1) is that traffic heading to the

"external" gigabit LAN wouldn't come across the firewall PC.  However, 
the disadvantage would be that traffic between the two LANs would have 
to pass through it.  That might be unacceptable.

The advantage of (2) might be that traffic between the "internal" and 
"external" LANs wouldn't come near the firewall PC.  Also, the WAN pipe 
may not require the throughput advantage of the Cisco.  (It may indeed, 
but it might not be as sensitive.)  However, this does add a couple 
dozen ms to the latency of the upstream connection.

As far as I can tell, (3) would be the best of both worlds, but I, for 
the life of me, can't figure out if there's a way to set a network up 
like that.

Any ideas?

Peace...  Sridhar

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar
Ayengar
> Sent: Monday, March 24, 2008 1:31 PM
> To: Masood Ahmad Shah
> Cc: 'Cisco NSPs'
> Subject: Re: [c-nsp] External Firewall
> 
> Masood Ahmad Shah wrote:
>> Normally people would put like show below..
>>
>> WAN-Router<--------->Firewall<------>LAN-Switch
> 
> That's what I was hoping to avoid.
> 
> Peace...  Sridhar
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list