Re: Proxy and Stateful together ??

["R. DuFresne" <dufresne () sysinfo com>]

On Mon, 18 Nov 2002, Bennett Todd wrote:

> 2002-11-16-11:05:40 Paul D. Robertson:
> > > Might park a snort on it while I was about it, too.
> >
> > Hmmm, isn't that adding a level of bloatedness that's a bit extreme?
>
> Depends on the context. If the environment supports the investment
> to have multiple boxes implementing the firewall, then this would
> certainly be one of the first choices for moving off onto a separate
> box. If not, I don't think the bloat is that bad; for small shops,
> the performance impact isn't that bad, and the code seems (in my
> experience anyway) nice and stable. It's not as tiny as it once was,
> but it's still not that bloated by modern standards anyway:-).

Though you have packets traversing two rounds of 'filtering/inspection',
making for a DOS perhaps in heavy attack streams, yes?  Or am I missing
something.  My first thought here was as you mention, seperation of the
two inspection produsts, if only to reduce the chances of systems
overload.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards