Firewall Wizards mailing list archives
Re: Question on Cisco ASA's... do all the features slow it down?
From: Carson Gaspar <carson () taltos org>
Date: Wed, 12 Dec 2007 16:29:13 -0800
John G. wrote:
well, i don't understand really what you mean by the packet sizes and first match vs. last match. i am more a firewall apprentice than firewall wizard.
A vendor says "we support 1 Gb/sec" Packet sizes (with silly numbers): If you have 128 MB (1 Gb) packets, the firewall has to process 1 packet If you have 1 B packets, the firewall has to process 1073741824 packets Assuming per-packet overhead is non-zero, those a _hugely_ different numbers. Of course in reality the values vary between 64 and 1500 bytes, not 1 and 134217728 bytes. Rule sizes (related to the above): Matching a single "permit any any" rule takes some (minimal) time. Matching a 10,000 entry rule set where the "permit" entry that matches your packets is last takes some, possibly greater, amount of time, especially if the firewall has a naive linear rule application algorithm. In general, you find that: - Firewalls have a packet rate limit caused by their per-packet processing overhead. In some cases this is related to their ruleset size. In most cases this is related to the number of existing connections. - Firewalls have a new session rate limit caused by their connection setup overhead. This is almost always related to their rule set size, although there are exceptions - Lucent had O(1) (constant time) ACL processing on some of their routers, thanks to some fun math from their researchers. - Firewalls have a bit-rate limit caused by hardware platform limits, but these limits are almost _never_ reached in real life. -- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Question on Cisco ASA's... do all the features slow it down? John G. (Dec 05)
- Re: Question on Cisco ASA's... do all the features slow it down? ChrisSerafin (Dec 06)
- Re: Question on Cisco ASA's... do all the features slow it down? Brett Cunningham (Dec 06)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 10)
- Re: Question on Cisco ASA's... do all the features slow it down? Carson Gaspar (Dec 11)
- Re: Question on Cisco ASA's... do all the features slow it down? John G. (Dec 11)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 12)
- Re: Question on Cisco ASA's... do all the features slow it down? Carson Gaspar (Dec 13)
- Re: Question on Cisco ASA's... do all the features slow it down? jacob c (Dec 10)