Firewall Wizards mailing list archives
RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Fri, 2 Aug 2002 10:43:57 +1000
-----Original Message----- From: David Klein [mailto:dklein () netscreen com] Sent: Friday, August 02, 2002 6:32 AM This changes in ScreenOS 4.0. The multiplicative nature of expanding admin-defined policies with groups into "ASIC policies" changes to an additive nature. So if I have a policy using a src_addr group of 6 subnets and a dest_addr group of 7 subnets then it will only generate 13 instead of 42 "ASIC policies".
Hmm, Dave, I guess I just going to have to go and ask you to explain this in a bit more detail. My (admittedly limited) understanding of ASIC design, packet filtering techniques and algorythm design doesn't understand how you might get 13 rules out of this. Unless, of course, you are using fall-through, multiple-path (tree like) rule tables. This would mean your rules, instead of being a straight match list: SrcIP=xxx, DstIP=yyy, SVC=sv1, Allow SrcIP=xxx, DstIP=yyy, SVC=sv2, Allow SrcIP=xxx, DstIP=yyy, SVC=sv3, Allow SrcIP=xxx, DstIP=yyy, SVC=sv4, Allow You now have a "Tree-like" match list: SrcIP=xxx, go_sub_A SrcIP=xx2, go_sub_A SrcIP=xx3, DstIP=yyy, SVC=sv0, Allow go_sub_A: DstIP=yy1, go_sub_B DstIP=yy2, go_sub_B return go_sub_B: SVC=sv1, Allow SVC=sv2, Allow SVC=sv3, Allow return I can see some problems in ASIC performance if the ASIC was not designed to cope with this. (Mind you, NetScreen have some funky programmers, who knows what sort of cute kludges might be used.) My concern with this form a rule organisation/re-rendering is that (just like "best-fit" rule ordering) there may be circumstances in which unexpected combinations occur. I think that this is covered detail in Brent Chapman's Firewalls book. [Discussion: If the designers have, in fact, done this, then I can't see them restricting the ASIC_policies ordering to a "per GUI-rule" basis. Thus I would expect them to take the entire GUI ruleset and then normalise and render as an ASIC_rule tree. -- This is what bothers me.]
This does not require a change to the ASIC or any hardware components for that matter.
It is this comment that makes me suspect tree-like rather than first-match rule parsing... Dave, Please comment.... Kind Regards, Crispin Harris
---------------------------------------------------- This correspondence is for the named person's use only. It may contain confidential or legally privileged information or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of DeMorgan Pty Ltd. This e-mail has been checked for known Viruses. It is the responsibility of the receiver to check their system for infected files and any such file is deemed not to be the responsibility of DeMorgan. ---------------------------------------------------------
Current thread:
- RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts? Crispin Harris (Aug 01)