RE: TCP Intercept

We have been doing some testing. We were trying stuff on the router and
stuff on the pix.
On the router side, testing intercept shot the cpu from under 20 to above
60...this was with 3 hosts simulating attacks to an internal host.  I think
we opted to turn this feature off and use the pix 6.2.3 which takes similiar
action using embryonic values set to 1.  6.2.2 had a bug so don;t try it
there, only 6.2.3 if you go that route.

my 2 cents.

thx

kevin

-----Original Message-----
From: Sam Stickland [mailto:sam_ml@xxxxxxxxxxxxxx]
Sent: Tuesday, August 05, 2003 12:01 PM
To: Cisco Nsp
Subject: [nsp] TCP Intercept


I'm got some questions about the TCP intercept feature.

Firstly, while I understand what the technical differences 
between the watch
and intercept modes are, I'm not sure what the differences in efficiency
between the two are (both in the catching of attacks and the CPU load)

Secondly, I'm not sure what good it would do to place this on the core
routers of a large network. What's the typical connections per 
second rate
that would start to overwhelm a typical server? If the incoming 
connections
per second rate for the entire network is comparable then the 
necessary 'ip
tcp intercept max-incomplete high' setting isn't going to do 
much to protect
the servers, is it?

Sam


_______________________________________________
cisco-nsp mailing list  cisco-nsp@xxxxxxxxxxxxxxx
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp@xxxxxxxxxxxxxxx
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/