Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363 (fwd)
From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 16 Oct 2002 10:52:41 -0400 (EDT)
[Forwarded with Daniel's permission] I'm all in favor of real data, especially when it overrides dogma. In this case, I'm guilty of just accepting the dogma that packet filtering rules and state table rules should take about as long to go through as one another and therefore it's a numbers game. Daniel's data says (at least for the test set) otherwise. This is much more interesting to me than the usual "performance" test conversations that come up around firewalls. Paul ---------- Forwarded message ---------- Date: Wed, 16 Oct 2002 16:27:19 +0200 From: Daniel Hartmeier <daniel () benzedrine cx> To: Paul D. Robertson <proberts () patriot net> Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363 [ Answering this off-list, as I don't want to shamelessly advocate. ] On Wed, Oct 16, 2002 at 10:23:08AM -0400, Paul D. Robertson wrote:
Keeping state can have performance benefits. Depending on your rule set, associating a packet with a state entry is cheaper than evaluating the rules. Keeping state does not 'just' increase the quality of filter decisions.Ok, I can see that if you're handling less stateful entries than you have rules, but with good rule ordering, or a busy site, I'm not sure it's a gimme. Do you have any way to measure which is better, or threashold information?
No, the surprising thing in my benchmarks was that the ratio is much different. Filtering statefully with 50000 states is cheaper than evaluating even 100 rules for each packet, at least in the packet filters I measured: http://www.benzedrine.cx/pf-paper.html. I think most people (falsely) assume that filtering statelessly is faster with their rule sets. Even simple real-life filter policies put create less load on the firewall when state is being kept. Daniel _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: CERT vulnerability note VU# 539363 (fwd) Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 (fwd) Schouten, Diederik (Diederik) (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Stephen Gill (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)