[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: [unisog] High speed firewalls - Connections per second notbits per second]

Hmmm... what is the 'pf' response to this problem?   I seem to remember
that 3.6 has per IP limits that can be set that perhaps could mitigate
this sort of problem.
Keep the pf specific stuff on this list I'll forward a summary to
-------- Forwarded Message --------
From: Mayne, Jim <[email protected]>
Reply-To: UNIversity Security Operations Group <[email protected]>
To: [email protected]
Subject: [unisog] High speed firewalls - Connections per second not bits
per second
Date: Mon, 21 Feb 2005 10:40:28 -0600
Currently TCU is using a Checkpoint FW1 NG AI firewall running on a
Nokia platform in front of our RESNET network. We have begun to see more
and more problems with the firewall dropping packets when we get a rash
of infected machines. Nokia is now telling us that without their IP2250
(Very expensive!) box they cannot handle over 1k connections per second
when running FW1 (even with SecureXL and every other optimization they
can think of). 1k cps is not much when you have even a few infected
So my question is do you all know of firewalls, stateful inspection and
not just ACL's on routers, that can really handle large numbers of
connections per second? I see a lot about bps but not too much about
Jim Mayne 
Network Security Engineer 
Texas Christian University 
[email protected] 
(817) 257-6843 
unisog mailing list
[email protected]

Attachment: smime.p7s
Description: S/MIME cryptographic signature