[c-nsp] ASA vs ISR ZBFW
Nick Hilliard
nick at foobar.org
Sun Sep 11 13:28:22 EDT 2011
On 10/09/2011 04:51, Mark Tinka wrote:
> Fodder for the ASR1000 BU.
>
> The box certainly has the tech. to be a decent-enough firewall, and is
> obviously a router by all accounts.
well, yes and no. NPUs are fine but they aren't CPUs and you'll never
get the flexibility of a CPU-forwarded box on NPU based hardware, at
least not at a comparable price point.
As a general principle, I have problems with the concept of a packet
forwarding engine designed around the concept of a state table which can
be filled up in a matter of seconds by relatively low-tech attacks. E.g.
1m state entries is ~3 seconds worth of small packets at a paltry 100
megs. Combining that with many peoples' impression that implementing a
firewall is in some way equivalent to deploying a good quality security
policy, I often wonder if a firewall's most useful feature is
blame-shifting and fulfilling tick-box requirements.
Nick
More information about the cisco-nsp
mailing list