[c-nsp] ASA Firewalls placement in the network!
Adrian Minta
adrian.minta at gmail.com
Mon Oct 12 11:28:13 EDT 2009
Ge Moua wrote:
>>> The worst thing you can do is put a stateful firewall in front of a
> busy DNS server - every single packet creating new state will bring
> most hardware-based firewalls to their knees, because "session churn"
> is usually handled at much lower packet rate as "pure packet throughput
> for existing state"...
>
>
> I concur and have battle scar to attest for this; we tried to put a
> stateful firewall in front of our public NTP server (which also happen
> to be our DNS servers) and the firewall tipped over within 5 minutes;
> state tables got exhausted quick.
Is there a way to disable sessions for specific port or IP ?
--
Best regards,
Adrian Minta
More information about the cisco-nsp
mailing list