Re: Packet Filters - best performers

Tue, 25 Jul 2000 08:26:18 -0700 

I have to dissagree Chris. If you want to configure VPN maybe FW-1, but he's just 
talking packet filter so obviously he wants raw throughput. PIX blows FW-1 away in raw 
throughput... heres a couple links, check it out:

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/index.shtml 
http://www.networkcomputing.com/1106/1106f12.html

cheers..

>>> Chris Brenton <[EMAIL PROTECTED]> 07/25/00 04:30AM >>>
Grich Ond�ej wrote:

I ask the above as it will play a big part in determining which
technology you use. If the hosts will be watched closely, you can
probably get away with static packet filters (say on a Cisco router). If
you are not 100% certain the hosts will be maintained, go with a
stateful filter. Your best bet in this arena is probably a Nokia box
running FW-1. Its the fastest stateful filter I've seen.

> I'm interested in proven data. 

Check out Checkpoint's Web site. I'm sure they have metrics on the
Nokia. I know they did a recent study which included FW-1 on Linux and
Nokia still won out, but I'm not sure if they publicized the findings or
not.

> I thought about load balancing switches with
> security functionality (like BigIP from f5networks, or ArrowPoint products),
> but its these are not proven (from security point of view).

Also, keeping it simple is a good thing. F5? Humm, seem to remember some
interesting stuff in the archive about them. ;)

> Is anybody aware of maximum network throughput which can be handled by
> PACKET FILTER (in general)?

This will vary with vendor & platform but in general, static will give
you better performance than stateful. Which to choose depends on your
environment.

> I'm sure some of you  had faced the same situation. What are the solutions,
> concepts you used?

Yup, hardened hosts with static filters. Network based IDS to watch over
the chicken coop. ;)

HTH,
Chris
-- 
**************************************
[EMAIL PROTECTED] 

* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/ 
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/ 
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to