[c-nsp] ASA Firewalls placement in the network!

Adrian Minta adrian.minta at gmail.com
Mon Oct 12 11:28:13 EDT 2009


Ge Moua wrote:
>>> The worst thing you can do is put a stateful firewall in front of a 
> busy DNS server - every single packet creating new state will bring
> most hardware-based firewalls to their knees, because "session churn"
> is usually handled at much lower packet rate as "pure packet throughput
> for existing state"...
>
>
> I concur and have battle scar to attest for this; we tried to put a 
> stateful firewall in front of our public NTP server (which also happen 
> to be our DNS servers) and the firewall tipped over within 5 minutes; 
> state tables got exhausted quick.
Is there a way to disable sessions for specific port or IP ? 

-- 
Best regards,
Adrian Minta 





More information about the cisco-nsp mailing list