• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 248
  • Last Modified:

Can IDS on PIX 506E impact performance?

I'm having some performance issues with my network and internet seeming to be running slower than usual and one of the big variables that's changed is the introduction of a PIX 506E as our new perimeter firewall.  Currently I have IDS checking traffic on the outside interface, but I'm wondering if it's possible for the IDS to actually impact performance of traffic coming in from outside or traffic going outside from the inside.

Is this a plausible reason for slower network traffic or is the IDS feature fast enough that I really shouldn't be considering it?

Thanks
0
promap
Asked:
promap
  • 4
  • 3
1 Solution
 
lrmooreCommented:
That sort of depends....
How many users behind the PIX? How much bandwidth in front of it? What else are you asking of it? Multiple VPN tunnels? Extensive ACL's? Do you have every available signature enabled? Using an attack policy to block or just notify?

Can you quantify what "seems to be running slower than usual" means? What did you have in place before the PIX?
Use the PDM GUI to monitor the memory and CPU usage and see how they are doing. If they are OK, then you may have something else like a duplex mismatch or other network issue in play..
0
 
promapAuthor Commented:
I've probably got 20 users behind the PIX and a full T1 connection in front of it (We're having a second T1 bonded soon).  Nothing that I would consider majorly extensive ACLs and no VPN traffic.  I did go through and disable the unnecessary signatures and my IDS policy just notifies.

The best way to describe the slowness is that it seems to take longer for pages to come up after the initial request.  Type in a web address...press enter...and it seems to take a little longer to load it up.  Before the PIX we had a 3Com OfficeConnect, but if I'm not mistaken the PIX is much better than the 3Com we had.

I'm honestly not sure if it's even the PIX at all.  I'm just trying to rule out some of the obvious changes.  I checked the system stats and memory usage is holding right at 16MB and CPU usage is running a steady 0%.  

Think I should be looking for other network culprits?
0
 
lrmooreCommented:
It certainly does not look like the PIX is even breathing hard, so how about looking for duplex mismatch between the PIX outside interface and the T1 router. Do you have a switch that they both plug into, or using crossover cable?
How bout errors on the T1 interface? CRC errors/frame errors indicate a telco line issue or wiring between your router and the T1 smartjack..

Do you have a Proxy server perchance?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
promapAuthor Commented:
The connection between the router and the PIX is a standard crossover cable and then the PIX uses a straight through cable to connect to one of my infrastructure switches which all my workstations connect to (either directly or indirectly through another switch).  

As far as outside interface config I've got it set to auto so I thought it would autonegotiate to figure the correct duplex setting out.

Sorry if this is a stupid question, but when you say "errors on the T1 interface" do you mean check the outside interface on the PIX or actually check the interface on the router itself?

No proxy server either.
0
 
lrmooreCommented:
>As far as outside interface config I've got it set to auto so I thought it would autonegotiate to figure the correct duplex setting out.
Autonegotiation only happens between switches and hosts, not between end hosts. If your router is set to 100/full-duplex, then be sure to set the PIX interface the same.

>Sorry if this is a stupid question, but when you say "errors on the T1 interface" do you mean check the outside interface on the PIX or actually check the interface on the router itself?
Yes, on the router itself. Assuming it is a Cisco router - use "show interface serial <whatever>"

0
 
promapAuthor Commented:
Unfortunately I don't control the router...it's a managed router through my ISP.  Any idea what the duplex setting would be for a full T1 connection?  10/full?

0
 
lrmooreCommented:
The duplex setting depends on the capabilities of the router. The PIX can be either 10 or 100, half or full.
Find out what the router is set for, and match it.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now