Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Pix performance

from [Roger McLaren] Network Security [Permanent Link]
Subject: Re: Pix performance
Date: Thu, 27 Jan 2005 14:27:03 -0800 
Jason,

Per Cisco, the specs on the 515e are as follows:

Cleartext throughput: Up to 190 Mbps
Concurrent connections: 130,000
168-bit 3DES IPSec VPN throughput: Up to 135 Mbps with VAC+ or 63 Mbps
with VAC
128-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+
256-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+
Simultaneous VPN tunnels: 2000

I would think a 515e would be sufficient, as long as you are using all
the acceleration functions of the PIX (i.e. Turbo ACLs, etc).  There are
a few things to watch out for though:

1. If you have unusual ACLs your CPU usage may be high.
2. A "Concurrent Connection"  is not one inside host. For example, a
busy web server may generate tens of thousands of "concurrent
Connections".

For some real-world numbers on the 515e:

We have a 515e connected to a Cisco 3030 VPN concentrator via 168 bit
3des VPN tunnel on a 45 Mbit connection. Copying large files from a
server at one end to the other end results in about 17 Mbit/Sec
sustained throughput. This results in about 6% CPU use on the PIX.  

Hope that helps.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools Office



Norwich University - Information Security <infosec@norwich.edu>

1/26/2005 9:08:23 AM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I have just inherited a PIX 515e and am wondering if it is capable
(from
a performance perspective) of acting as our main firewall.

We are a small university with approximately 2500 users.  Our
incoming/outgoing bandwidth is 32Mb/s and can run any where from 4% to
90% utilization with a rough average of about 62% (20Mb/s).

Does anyone know from personal experience if the PIX 515e can reliably
handle this magnitude of usage doing both filtering and NAT?

Thx,

Jason
CISO
Norwich University


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org 

iD8DBQFB986HpmEqH5sLlmsRAv1pAJ98oPPZecpx1s0Yy4ZH5ytTFANdnwCfcWZl
1UcjfvTV/qT68+6u5AJNcQw=
=vU1z
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Use of VLANS between firewalls - good idea?, Kevin
Next by Date:  Re: Pix performance, Kevin
Previous by Thread:  Re: Pix performance, Kevin
Next by Thread:  Use of VLANS between firewalls - good idea?, Damian Gunner
Indexes:  [Date] [Thread] [Top] [All Lists]