David Lang wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Mon, 17 May 1999, Johann G. Hautzinger wrote:
>
> > Greg Bastian wrote:
> > >
> > > As a more specific question for any Linux users out there, would a NAT based
> > > firewall/router to handle a 128KBit ISDN connection running on a Pentium 233
> > > with 96 MB RAM handle the load ?
> >
> > well ... the answer is: that depends on ... like always ;-)
> >
> > in this case it depends on the answer to the following question(s):
> >
> > > Do you want protection against your users?
> > How are they connected?
> > How many are they?
> >
> > a "no" to the first question should be a clean green light to using this
> > machine.
>
> I am puzzeled by this comment, if you are meaning protection from users
> logging into the firewall, that should not be happening anyway. If you are
> talking protection from users behind the firewall then it is a issue of
> NAT based vs. stateful inspection vs. proxy which is not the question
> asked
hi Dave,
i�ll gladly resolve the puzzle:
"logging in"
i did not mention users logging into the firewall - so it is most
unlikely to be the thing i was talking of
"NAT ..."
well, let me guid you to my point of view (maybe i am missunderstanding
a lot of things anyway ...):
a) Greg was talking of the "load" - not only the NAT-induced load (as
far as i understood),
b) though external connections tend to be rather slow (eg. 128 kbit),
internal networks get faster and faster - 10 Mbit is the lower end of
standards, there also are (near to) 100 Mbit and still this is _not_ the
fastest possible speed - so more and more packets are coming into the
firewall from inside requesting to be translated, which increases the
load for sure
c) imagine a wiley hacker (and imagination is a lot of our business in
securing systems i think - hey, we are not fighting reality, fighting
reality is too late already!) having a companion inside the usernet.
this bad guy is bombarding the firewall with packets to the outside and
thus increasing the load, just to give the outside hacker the time he
needs. due to his high connection speed packets arrive very quickly and
can make the firewall machine sweat (for a rule of thumb look in the
zwicky book, dont have it at hand but it is something like "Building
Internet Firewalls", O�Reilly, the are dealing with the problem "line -
necessary machine"
> > btw: using linux you could try saying "yes" to "CPU is too slow to
> > handle full bandwith" under network options during kernel config.
> a machine like this should have NO problems maintaining these speeds. I
> have a NAT based linux firewall on my cablemodem at home. it is a 485/25
> 8MB and has no problems keeping up with 3Mb download 200Kb upload
> (although I admit I don't find many sites out there able to maintain that
> speed, usually I only see that speed when doing multiple downloads :-)
right - _should_ be enough but as i tried to show there _could_ be
circumstances where this is not enough (i am sure you dont have many
users at home accessing your gateway at the same time, do you?
but maybe i am wrong anyway :-) - better considered a situation which
will never happen than forgotten a point which could happen all the time
*g*
+Hannes
--
Johann Georg Hautzinger http://treasury.erstebank.at
Erste Bank AG - OE 560 - IT & Workflow Management
Boersegasse 14 Tel.: 536 31 1907
1010 Wien email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
