[unisog] High speed firewalls - Connections per second not bitspersecond

Frank Bulk frnkblk at iname.com
Tue Feb 22 14:49:36 GMT 2005

I've been told by Cisco that their FWSM is more powerful than any of the
PIXes.  They even said it's a little over-righteous. ;)


-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Matt McBride
Sent: Monday, February 21, 2005 10:49 PM
To: UNIversity Security Operations Group
Subject: RE: [unisog] High speed firewalls - Connections per second not

> So my question is do you all know of firewalls, stateful inspection
> not just ACL's on routers, that can really handle large numbers of 
> connections per second? I see a lot about bps but not too much about 
> cps.

We run several Cisco FWSMs throughout our campus backbone in the
distribution layer and at our AS boundary routers acting as our front door.
Most average 150 - 200 mbps and we deal with infected hosts spewing data on
a daily basis. We haven't been pushed to the point of dropping packets, at
least nothing I or the end users have noticed.

Cisco claims, "Cisco Firewall Services Module (FWSM) is a high-speed,
integrated firewall module for Cisco Catalyst(r) 6500 switches and Cisco
7600 Series routers, and provides the fastest firewall data rates in the
industry: 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.
Up to four FWSMs can be installed in a single chassis providing scalability
to 20 Gbps per chassis."

We did extensive testing in the lab before going with this solution using a
Smartbits network performance analysis system. It handled 1K cps without any


Matt McBride
Network Engineer
University of Utah
Salt Lake City, USA
ccnp ccdp cissp

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list