[c-nsp] ASA Firewalls placement in the network!

Ge Moua moua0100 at umn.edu
Mon Oct 12 11:44:23 EDT 2009


yes, but the whole point of public NTP services is to allow any IPv4 to 
do NTP sync.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Adrian Minta wrote:
> Ge Moua wrote:
>>>> The worst thing you can do is put a stateful firewall in front of a 
>> busy DNS server - every single packet creating new state will bring
>> most hardware-based firewalls to their knees, because "session churn"
>> is usually handled at much lower packet rate as "pure packet throughput
>> for existing state"...
>>
>>
>> I concur and have battle scar to attest for this; we tried to put a 
>> stateful firewall in front of our public NTP server (which also 
>> happen to be our DNS servers) and the firewall tipped over within 5 
>> minutes; state tables got exhausted quick.
> Is there a way to disable sessions for specific port or IP ?


More information about the cisco-nsp mailing list