Firewall Wizards mailing list archives

Re: Inspecting routers

From: Lorens Kockum <firewall-wizards-20021015 () tagged lorens org>
Date: Tue, 26 Nov 2002 10:31:42 +0100

On Mon, Nov 25, 2002 at 05:22:57PM -0800, Kyle R. Hofmann wrote:

On Mon, 25 Nov 2002 18:20:49 +0100, Lorens Kockum wrote:

Other than that, stateful filtering on the external router will
basically protect you from some consequences of having worse TCP
stack implementations on the web servers than on your routers.


This is not strictly true.  Pure stateful filtering may still allow
maliciously constructed TCP segments.  You are thinking of packet
normalization, which usually has stateful filtering as a prerequisite.


Yes - and I'm not sure "routers" do normalization. I should have
emphasized "some" :-)

It will, on the other hand, cost you.  Stateful filtering is
more expensive than non-stateful in terms of CPU / memory /
performance.


This is not true for all implementations, and probably not even for most.


Brain glitch re filtering/non-filtering. Sorry. (Same thing to Mikael).

-- 
#include <std_disclaim.h>                          Lorens Kockum
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Inspecting routers Pierre-Yves (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 25)
  - Re: Inspecting routers Mikael Olsson (Nov 25)
  - Re: Inspecting routers Kyle R. Hofmann (Nov 25)
    - Re: Inspecting routers Lorens Kockum (Nov 26)
    - Re: Inspecting routers Ng Pheng Siong (Nov 26)
- RE: Inspecting routers Ben Nagy (Nov 26)