Re: Inspecting routers

[Mikael Olsson <mikael.olsson () clavister com>]

Hullo,

I've got some disagreeing to do ...

Lorens Kockum wrote:
> It will, on the other hand, cost you.  Stateful filtering is
> more expensive than non-stateful in terms of CPU / memory /
> performance.  

... here. Stateful filtering is indeed more expensive in terms
of memory.  It _might_ be more expensive if what you are doing 
is adding and removing real rules to/from the ruleset a'la
cisco router reflexive ACLs (but I thought people stopped doing 
that after nimda killed their routers; maybe I'm wrong :P)

IF however you are using a firewall built expressly for SPFing,
you'll find that it's LESS expensive in terms of CPU crunching
and perform better.  Think about it; a state lookup can be done
with a single hash lookup on primitive data types. A (linear)
ruleset lookup will result in lookups against (typically) more 
complex datatypes, one for each and every rule you look at.

That said, one _can_ get fancy on the rule lookup algorithm itself and 
get it done in more-or-less constant time, but that still only puts 
things more or less on par with the speed of the state lookup, and with 
none of the benefits that you can get from keeping state.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards