Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
1
Replies

Performance impact of ASA5550/5580

DannyHuston
Level 1
Level 1

‎11-30-2012 08:26 AM - edited ‎03-11-2019 05:30 PM

I need to block 4000 nodes (Ultrasurf, TOR exit nodes) and I've written a script that will ssh and copy in these objects (prob 100 at a time) into an object group and then put a blanket deny.  I don't see a flood of traffic (occassional hits every other day, etc) but I was wondering what the impact would be?  Can the ASA handle an object group of that size plus an ACL with it?  Has anyone ever figured a way to block incoming connections from TOR/Ultrasurf?

Labels:
0 Helpful
1 Reply 1

julomban
Level 3
Level 3

‎11-30-2012 12:19 PM

Danny,

There has been no in-depth sizing test done on access-list. With that said here are some observations.

1) The number of ACL elements in one access-list is memory bound. Each element requires about 40-56 bytes.

2) My testing with an access-list with 4000 entries shows minimal impact on responsiveness.

As far as I know, we have not have any sizing test done. However, our access-list checks are done once per flow so it help minimize the impact. So far we have no report about unacceptable performance impact on the number of access-list rules. We do have some fairly large customers so it does give me some confidence.

I can give a rough rule of thumb is that the longer the access-list, the longer the session will take to initiated. Once it is created or blocked, then impact is zero.

Regarding the UltraSurf/TOR app, those are in a perpetual game of cat and mouse. It works on tcp port 9666, but just blocking this port doesn't help as it work on both port 80 & 443 and it makes thinks more hard as they also uses a lot of open proxies.

I have been looking into this for similar reasons. Option 1 from what I have found is to have your DNS servers referencing one of the RBL's that keep track of the open proxy sites. That seems to help but I am not familiar with that option. Option 2 involves adding a 3rd party product called WebSense that appears to have the ability to block proxy traffic like this or Ironport appliance.

Does that answer your question?

Regards,

Juan Lombana

Please rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card