[unisog] High speed firewalls - Connections per second not bits per second

Donal Lynch donal at yorku.ca
Mon Feb 21 18:02:24 GMT 2005

Firewalls are (typically) designed based on the assumption that they
will be blocking most traffic and allowing only a limited subset of
the traffic to pass.  Most colleges and universities have policies
that require that vast portions of the network be fairly wide open.
Using a box that is designed to block most traffic in a situation
where you are actually going to allow most traffic is a recipe for
problems (I'm speaking from experience - which we learned the hard
way).  That sounds exactly like the problem you've run into, and
from our experience and research even the biggest firewalls won't
solve it.  The only solution we could come up was to replace our
internet firewall with an Intrusion Prevention System.  Needless to
say an IPS that could handle our bandwidth requirements, and our
connections per second requirements wasn't cheap, but compared
against the cost of ganging 4 Cisco FWSM together, it made sense.
And things have been a lot more stable since we removed the
firewall.  Of course an IPS isn't a stateful firewall.... But if
your policy is that things are going to be so open that you need to
worry about a firewall that can manage 100K+ connections per


Donal Lynch
Asst. Manager, CNS Network Operations, York University
email: donal at yorku.ca   voice: 416.736.2100 x20282

On Mon, 21 Feb 2005, Mayne, Jim wrote:

> Currently TCU is using a Checkpoint FW1 NG AI firewall running on a
> Nokia platform in front of our RESNET network. We have begun to see more
> and more problems with the firewall dropping packets when we get a rash
> of infected machines. Nokia is now telling us that without their IP2250
> (Very expensive!) box they cannot handle over 1k connections per second
> when running FW1 (even with SecureXL and every other optimization they
> can think of). 1k cps is not much when you have even a few infected
> machines.
> So my question is do you all know of firewalls, stateful inspection and
> not just ACL's on routers, that can really handle large numbers of
> connections per second? I see a lot about bps but not too much about
> cps.
> Thanks,
> Jim
> Jim Mayne
> Network Security Engineer
> Texas Christian University
> j.mayne at tcu.edu
> (817) 257-6843
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list