Firewall Wizards mailing list archives

Re: CERT vulnerability note VU# 539363 (fwd)

From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 16 Oct 2002 10:52:41 -0400 (EDT)

[Forwarded with Daniel's permission]

I'm all in favor of real data, especially when it overrides dogma.  In 
this case, I'm guilty of just accepting the dogma that packet filtering 
rules and state table rules should take about as long to go through as one 
another and therefore it's a numbers game.  Daniel's data says (at least 
for the test set) otherwise.  This is much more interesting to me than the 
usual "performance" test conversations that come up around firewalls.

Paul

---------- Forwarded message ----------
Date: Wed, 16 Oct 2002 16:27:19 +0200
From: Daniel Hartmeier <daniel () benzedrine cx>
To: Paul D. Robertson <proberts () patriot net>
Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363

[ Answering this off-list, as I don't want to shamelessly advocate. ]

On Wed, Oct 16, 2002 at 10:23:08AM -0400, Paul D. Robertson wrote:

Keeping state can have performance benefits. Depending on your rule set,
associating a packet with a state entry is cheaper than evaluating the
rules. Keeping state does not 'just' increase the quality of filter
decisions.


Ok, I can see that if you're handling less stateful entries than you have 
rules, but with good rule ordering, or a busy site, I'm not sure it's a 
gimme.  Do you have any way to measure which is better, or threashold 
information?


No, the surprising thing in my benchmarks was that the ratio is much
different. Filtering statefully with 50000 states is cheaper than
evaluating even 100 rules for each packet, at least in the packet
filters I measured: http://www.benzedrine.cx/pf-paper.html.

I think most people (falsely) assume that filtering statelessly is
faster with their rule sets. Even simple real-life filter policies put
create less load on the firewall when state is being kept.

Daniel

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: CERT vulnerability note VU# 539363 (fwd) Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
  - Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
    - Re: CERT vulnerability note VU# 539363 (fwd) Daniel Hartmeier (Oct 16)
    - Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
    - Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
    - Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 (fwd) Schouten, Diederik (Diederik) (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Stephen Gill (Oct 17)
  - Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
    - Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 17)

(Thread continues...)