Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363 (fwd)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 16 Oct 2002 17:55:20 +0200
"Daniel Hartmeier" wrote:
I think most people (falsely) assume that filtering statelessly is faster with their rule sets. Even simple real-life filter policies put create less load on the firewall when state is being kept.
Just to corroborate: I agree 100% with this. In my experience (our stuff), ruleset lookup hits on stateless packet forwarding rules at the _very top_ of the ruleset is comparable to keeping state. Anything below the very top will start showing differences, and for someone that needs "maximum throughput", hits on rules 100+ can be "painful". We should have PDFs that show the exact ratios for our gear lying around here somewhere, but people have left for the day and I can't seem to find them. :/ Of course, there's also the issue of establishing new sessions. If you're opening and tearing down sessions at a fearful ratio (tens of thousands of states per second), you might be better off (if security allows it) to have maybe a dozen or so stateless packet packet forwarding rules at the top of the ruleset. Of course, with stateless filtering rules, you'll lose things like: - SYN flood protection - TCP ISN randomization - LOGGING! -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: CERT vulnerability note VU# 539363 (fwd) Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 (fwd) Schouten, Diederik (Diederik) (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Stephen Gill (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Miles Sabin (Oct 18)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)