Re: CERT vulnerability note VU# 539363

[Daniel Hartmeier <daniel () benzedrine cx>]

On Wed, Oct 16, 2002 at 08:20:09AM -0500, Stephen Gill wrote:

> In my opinion if a stateful firewall claims it can filter at rate X
> (64byte packets, etc...), it should be able to filter at that rate under
> all conditions.

Obviously, for any X, when each packet is part of a TCP handshake, the
X/2 (or /3, depending on how you count) newly established connections per
second will exhaust memory on the firewall after a certain amount of time.

I don't think you meant 'be able to filter at that rate' to include
'dropping legitimate connections when running out of memory', did you?

> I'd like to learn some of the other methods being used for mitigation
> amongst vendors.

Yes, that's what I'd find most intersting to read in vendor statements
myself. :)

Daniel
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards