Norwich University - Information Security <infosec@norwich.edu> wrote:
I have just inherited a PIX 515e and am wondering if it is capable (from
a performance perspective) of acting as our main firewall.
Given the term "inherited", you may wish to check the PIXOS version,
also if the device is currently using conduits, upgrading to the latest code
will require migrating the configuration to ACLs.
We are a small university with approximately 2500 users. Our
incoming/outgoing bandwidth is 32Mb/s and can run any where from 4% to
90% utilization with a rough average of about 62% (20Mb/s).
Does anyone know from personal experience if the PIX 515e can reliably
handle this magnitude of usage doing both filtering and NAT?
By "filtering" are you referring to ACLs, or to web content filtering through an
off-box "censorware" solution? (NetNanny, Websense, Smartfilter, etc)
On Thu, 27 Jan 2005 14:54:48 -0500, Jason Albuquerque
<JAlbuquerque@northkingstown.org> wrote:
Yes a 515e is very capable of handling filtering and Nat and Some!! Here
it is used for Filtering, NAT, DMZ, ACL's, 4 VLANs, VPN and more for a
municipality.
The PIX should be able to handle this traffic under normal usage, I have run
into performance problems with PIX when even a small number of internal
clients become infected with network scanning worms; in my particular case
the client was sourcing from a bogus IP address (a RFC1918 address not
actually used on the internal network), so TCP requests would be sourced
out from "trusted" but no replies would ever come back, seems to be a
state table issue.
Pre-filtering both inbound and outbound traffic to drop spoofed sources
mitigated the PIX issue until the underlying worm infestation was addressed.
Just one more "gotcha" to watch for.
Kevin Kadow
