GJ said:
Hello,
Does using IPSec solely as a packet filter to lock down ports incur
significant overhead?
[I don't have statistics, just some experience and understanding of
the mechanisms involved so take this into consideration.]
The main performance problem I have seen (may be
fixed now because it is not near as bad as previous
SP versions of Win2000 server) is during the processing
of the new policy (I have something like 500 rule-filters
in there). It can take the processor to 99% for a bit -- or
used to do so.
After that, the performance may/should actually improve, since
there is no reason to send back a port redirector or other
negative answer for anything that isn't passed through to
the running, authorized services.
It doesn't seem to notice that there are a lot of rules WHEN
running -- my guess is that long (pre) processing time is used
to optimize the storage for fast (later and repeated) lookup.
I'm planning on using it to help protect a publicly
accessible web server, in addition to a firewall device. Or is using a
firewall enough by itself?
I think of the firewall as IN ADDITION to IPSec, and
do use IPSec for the purpose you intend.
BTW, I found it easier to write a Perl program to BUILD
the IPSecPol/CMD commands than to write them out by
hand or use the worlds most complicated wizard (IPSec
policy wizard in the GPO editor etc.)
My program that writes these is semi-table driven and
somewhat idiosyncratic to my policies but it is much
easier to keep things straight this way.
