[c-nsp] External Firewall

Paul Cosgrove paul.cosgrove at heanet.ie
Mon Mar 24 17:11:52 EDT 2008


Hi Sridhar,

I'm afraid I haven't understood the significant of the firewall in your 
performance comparison tests between the cisco router and a BSD PC.  Is 
the BSD PC the firewall you are referring to?  Is your main aim to 
discover the reason why existing performance differs between the cisco 
and a BSD PC/router, or to test topology difference in two sites (only 
one of which has a firewall)?

Perhaps the cisco outperforms a powerful PC because of the hardware 
assisted switching.  The cisco router will use fast switching methods 
(e.g. CEF)  to reduce the number of lookups and overall processing 
required by the main CPU.

If I understand option (3) correctly, you wish to perform Multilayer 
Switching between a router and a stateful firewall.  One difficulty I 
see with this is that in order for the firewall to perform stateful 
inspection, you will need to provide it with the traffic necessary to 
monitor the state of flows.  Shifting a flow over to a  path which cuts 
out the firewall will then deprive it of this information.  This will 
limit its ability to function, for instance the firewall would not be 
able to detect when ports are negotiated within a session, or when a 
session ended.  Consequently I think the only inspection that you would 
be able to achieve with that approach would be basic ACL style 
filtering; which is something you could do on the router in any case.  
Shifting the firewall so that it is not in the main transit path will 
also expose the edge router and the infrastructure behind it.

Paul.

Sridhar Ayengar wrote:
> Fred Reimer wrote:
>   
>> Why, exactly?  Performance of the firewall?
>>     
>
> Yes.  I have two identical networks setup for one company in two 
> different locations.  One has a Cisco router (said 7200) talking 
> upstream to a big WAN pipe and downstream to two gigabit ethernet 
> networks.  The second location has the same WAN and LAN configuration, 
> WAN line distance and quality measurement numbers, etc.  The only 
> difference it is a BSD PC.  The Cisco performs noticeably and measurably 
> better in latency and throughput.  Neither is running firewall code.
>
> Now, the BSD PC has gobs more processor horsepower, memory- and 
> bus-bandwidth.  Why should the Cisco outperform it?
>
> To find out, I wanted to set up a selection of scenarios in the lab. 
> (1) I wanted to try setting up the firewall between the "internal" 
> gigabit network and the 7200.  (2) I then wanted to setup the firewall 
> between the WAN interface and the router to see how that performs.  (3) 
> I wanted to setup what I described in my original message, with the 
> firewall performing only stateful inspection functions, and allowing the 
> router to perform packet switching functions without interference from 
> the firewall once the session is operating.
>
> As far as I can see, the advantage of (1) is that traffic heading to the 
> "external" gigabit LAN wouldn't come across the firewall PC.  However, 
> the disadvantage would be that traffic between the two LANs would have 
> to pass through it.  That might be unacceptable.
>
> The advantage of (2) might be that traffic between the "internal" and 
> "external" LANs wouldn't come near the firewall PC.  Also, the WAN pipe 
> may not require the throughput advantage of the Cisco.  (It may indeed, 
> but it might not be as sensitive.)  However, this does add a couple 
> dozen ms to the latency of the upstream connection.
>
> As far as I can tell, (3) would be the best of both worlds, but I, for 
> the life of me, can't figure out if there's a way to set a network up 
> like that.
>
> Any ideas?
>
> Peace...  Sridhar
>
>   
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Sridhar Ayengar
>> Sent: Monday, March 24, 2008 1:31 PM
>> To: Masood Ahmad Shah
>> Cc: 'Cisco NSPs'
>> Subject: Re: [c-nsp] External Firewall
>>
>> Masood Ahmad Shah wrote:
>>     
>>> Normally people would put like show below..
>>>
>>> WAN-Router<--------->Firewall<------>LAN-Switch
>>>       
>> That's what I was hoping to avoid.
>>
>> Peace...  Sridhar
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   



More information about the cisco-nsp mailing list