Followup: zone-based firewall performance

The Zone-based firewall performance post has generated a few interesting comments. William Chu and an anonymous reader posted links to a Cisco ZBFW performance document. The document claims that the performance of TCP session inspection was significantly increased in 12.4(4)T (which would apply to CBAC as well, since zone-based firewalls were introduced in 12.4(6)T), but the maximum HTTP throughput numbers for ZBFW are way lower than the Cisco IOS Firewall Performance (table 3 of the Cisco Integrated Firewall Solutions document). One could only guess that the discrepancy does not indicate that CBAC is twice as fast as ZBFW but illustrates the gap between the real-life test scenarios and marketing figures.

David has also mailed me an interesting observation: CBAC inspects all traffic exiting (or entering) an interface; ZBFW inspects only inter-zone traffic. This distinction does not matter in common scenarios where there is not much traffic between external interfaces, but it could become important if you use IOS firewall to filter traffic between two IP networks and have multiple transit interfaces in each network.

2 comments:

  1. The discrepancy between the two docs is the result of an error when the "Integrated Firewall Solutions" was updated, shortly before the ASR launch. Zone Firewall in all releases between 12.4(6)T and 12.4(15)T applies the same basic underpinnings as Classic FW, so performance should be roughly on par, unless application-specific inspection is applied.

    Regarding the comment about David's observation; I'm not sure I understand the significance. If you need to apply policy between interfaces, they need to be in different zones. Unless I'm mistaken, that's the well-known expecatation for using Zone Firewall. Granted, this behavior has limits in cases where very large numbers are all assigned to unique zones, because managing the number of zone-pairs could become tedious. In this case, the firewall would need to offer a capability to apply intra-zone policy between interfaces. I bet that if you wait long enough, you'll see this happen.

    ReplyDelete
  2. Thanks for the feedback. I suspected that they use the same infrastructure, but it's nice to get the confirmation.

    I'll write another post detailing the design I wrote about ... obviously I have a bit of a problem getting the wording right every now and then :) After all, English is not my native language.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.