We have a cisco PIX as a firewall currently running 5.something
and it is working well except that we are finding the access list
difficult to manage. (We are a university and because of this
it is felt that security has to take a back seat to academic
freedom - so we have 80 web servers etc...) The current access
list has some 350 entries. This throws up a number of problems:
Does anyone know if the PIX will be able to perform with
such a huge access list at 100M? (we have a 515) How much further
can we push it, 400 lines? 500? The 100M connection will arrive
later in the year and it would be unfortuate if the PIX didn't
perform then...
Currently all the filtering from outside for all the interfaces
(5+outside) is done inbound on the outside interface. Is there are
better way?
Is there any software (free would be best) to help manage the
access lists? If not I guess we will cook up something.
Will optimising the access lists produce any useful gain? (ie arrange
the bits that get all the hits at the top as far as possible.)
Are there any advantages to using conduits instead of access lists?
I'm guessing that conduits will be supported even though they are out
of favour but what do you think?
Is there anything on the web that discusses these kind of issues - I've
failed to find anything useful so far.
Thanks in advance.
David
****** David Round - EMail [EMAIL PROTECTED] ******
*****These are my own views, I represent nobody (Well maybe myself)*****
***********I guarantee nothing - Particularly the spelling**************
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
