[c-nsp] External Firewall
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Tue Mar 25 06:06:13 EDT 2008
Hi,
> Yes. I have two identical networks setup for one company in two
> different locations. One has a Cisco router (said 7200) talking
> upstream to a big WAN pipe and downstream to two gigabit ethernet
> networks. The second location has the same WAN and LAN configuration,
> WAN line distance and quality measurement numbers, etc. The only
> difference it is a BSD PC. The Cisco performs noticeably and measurably
> better in latency and throughput. Neither is running firewall code.
>
> Now, the BSD PC has gobs more processor horsepower, memory- and
> bus-bandwidth. Why should the Cisco outperform it?
what BSD OS are you using? What processor, what interface cards are
you using? what BUS are those cards on? these are all salient facts.
you cannot have a stateful firewall which only inspects the first
packet - as each packet needs to be seen - stateful firewalls
recognise the stream and therefore throw the packet straight through
avoiding any port/type and further rules if the stream was
allowed int he first place.
your main consideration must surely be, do you want a routed firewall
or a 'bump in the wire' firewall. you want a 1gig capable firewall
but fear the PC capability? a decent PC will handle 1Gig. if you fear
this, then a decent Cisco ASA (which, to all intents and purposes
is a PC in a fancy case) can do it. or a Juniper netscreen - which
uses a couple of ASICs.
if, however, your worry is because of how well the (???)BSD did routing..
which routing package did you use?, then the Cisco has ASICs that do all
the hardest routing work which your PC has to do in multiple processor
cycles and handle interupts etc too.
> As far as I can tell, (3) would be the best of both worlds, but I, for
> the life of me, can't figure out if there's a way to set a network up
> like that.
nope. cant think of a way to do that either - you can have 'out of band'
network management systems, where the traffic hits the box
via it being the LAN gateway, until the machine is authenticated
at which point the system gets bumped to a LAN with a standard
gateway. I can think of many, some horrible, ways of ensuring that
some machines or some protocols to some machines dont need to
go through a firewall (routed or bump) bump they are hacks.....
alan
More information about the cisco-nsp
mailing list