Firewall Wizards mailing list archives

Re: Proxy and Stateful together ??

From: Bennett Todd <bet () rahul net>
Date: Mon, 18 Nov 2002 11:21:49 -0500

2002-11-18-10:45:14 R. DuFresne:

On Mon, 18 Nov 2002, Bennett Todd wrote:
[ on running snort on a bastion firewall ]
Though you have packets traversing two rounds of 'filtering/inspection',
making for a DOS perhaps in heavy attack streams, yes?  Or am I missing
something.  My first thought here was as you mention, seperation of the
two inspection produsts, if only to reduce the chances of systems
overload.


As you indicate, the two wildlly different handlings of packets ---
snort, sniffing the raw stream, attempting some reassembly and URI
normalization and whatnot, and doing pattern matching against the
results; and the normal bastion host's IP stack, with some stateful
packet filtering in front of application level proxies --- offer
diversity.

If performance is an issue, yes, get more boxes.

Take a box so old and slow as to be regarded as completely unusable trash
by today's standards --- can't run Windows, can't run
Gnome+KDE+Mozilla+blechyuckgag.... Lessay, an old slow pentium with
32MB RAM. Many's the company that ran application proxy firewalls on
that grade of gear for a T1, and had no firewall performance
problems even when that T1 was loaded. Snort wants a bit more RAM
than that, at least if you have the conversation and protscan2
preprocessors enabled, but no more CPU.

If you've got better than 100Mbps of connectivity to the internet,
and you routinely saturate it, then you'll be needing to have
multiple big fast boxes to completely serve that traffic --- but
they'll still cost less than one months telecomms charge.

While I didn't say so explicitly, I kinda figured that the initial
question that launched this thread --- hybrid firewall with
stateful packet filtering and application proxies on one box --- was
motivated by a small shop, for which a big industrial scale firewall
plant wasn't justified. It's easy to fling enough hardware at small
problems to prevent performance from being a problem.

-Bennett

Attachment: _bin
Description:

Current thread:

Proxy and Stateful together ?? Jean Caron (Nov 15)
- Re: Proxy and Stateful together ?? Bennett Todd (Nov 16)
  - Re: Proxy and Stateful together ?? Paul D. Robertson (Nov 16)
    - Re: Proxy and Stateful together ?? Jean Caron (Nov 16)
    - Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
    - Re: Proxy and Stateful together ?? R. DuFresne (Nov 18)
    - Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
    - Re: Proxy and Stateful together ?? Jean Caron (Nov 18)
    - Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
    - Re: Proxy and Stateful together ?? Bennett Todd (Nov 18)
  - Re: Proxy and Stateful together ?? Crispin Cowan (Nov 16)
- Re: Proxy and Stateful together ?? OpenBSD Chris Hedemark (Nov 16)
  - Re: Proxy and Stateful together ?? OpenBSD Paul D. Robertson (Nov 16)