Firewall Wizards mailing list archives
Re: Inspecting routers
From: Lorens Kockum <firewall-wizards-20021015 () tagged lorens org>
Date: Tue, 26 Nov 2002 10:31:42 +0100
On Mon, Nov 25, 2002 at 05:22:57PM -0800, Kyle R. Hofmann wrote:
On Mon, 25 Nov 2002 18:20:49 +0100, Lorens Kockum wrote:Other than that, stateful filtering on the external router will basically protect you from some consequences of having worse TCP stack implementations on the web servers than on your routers.This is not strictly true. Pure stateful filtering may still allow maliciously constructed TCP segments. You are thinking of packet normalization, which usually has stateful filtering as a prerequisite.
Yes - and I'm not sure "routers" do normalization. I should have emphasized "some" :-)
It will, on the other hand, cost you. Stateful filtering is more expensive than non-stateful in terms of CPU / memory / performance.This is not true for all implementations, and probably not even for most.
Brain glitch re filtering/non-filtering. Sorry. (Same thing to Mikael). -- #include <std_disclaim.h> Lorens Kockum _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Inspecting routers Pierre-Yves (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 25)
- Re: Inspecting routers Mikael Olsson (Nov 25)
- Re: Inspecting routers Kyle R. Hofmann (Nov 25)
- Re: Inspecting routers Lorens Kockum (Nov 26)
- Re: Inspecting routers Ng Pheng Siong (Nov 26)
- RE: Inspecting routers Ben Nagy (Nov 26)
- Re: Inspecting routers Lorens Kockum (Nov 25)