Re: CERT vulnerability note VU# 539363 (fwd)

[Mikael Olsson <mikael.olsson () clavister com>]

"Daniel Hartmeier" wrote:
> I think most people (falsely) assume that filtering statelessly is
> faster with their rule sets. Even simple real-life filter policies put
> create less load on the firewall when state is being kept.

Just to corroborate: I agree 100% with this.

In my experience (our stuff), ruleset lookup hits on stateless packet 
forwarding rules at the _very top_ of the ruleset is comparable to 
keeping state.

Anything below the very top will start showing differences, and
for someone that needs "maximum throughput", hits on rules 100+
can be "painful".

We should have PDFs that show the exact ratios for our gear lying around 
here somewhere, but people have left for the day and I can't seem to
find them. :/


Of course, there's also the issue of establishing new sessions.
If you're opening and tearing down sessions at a fearful ratio
(tens of thousands of states per second), you might be better off 
(if security allows it) to have maybe a dozen or so stateless
packet packet forwarding rules at the top of the ruleset.

Of course, with stateless filtering rules, you'll lose things like:
- SYN flood protection
- TCP ISN randomization
- LOGGING!

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards