Re: CERT vulnerability note VU# 539363 (fwd)

[Paul Robertson <proberts () patriot net>]

On Wed, 16 Oct 2002, Mikael Olsson wrote:

> In my experience (our stuff), ruleset lookup hits on stateless packet 
> forwarding rules at the _very top_ of the ruleset is comparable to 
> keeping state.

Hmmm, is this because "normal" rules aren't optimized or hashed, but state 
tables were kind of pre-assumed to be a performance issue, and therefore 
given performance attention at the design stage?  Maybe it's just because 
the state information is easy to do a boolean comparison on?

> Of course, there's also the issue of establishing new sessions.
> If you're opening and tearing down sessions at a fearful ratio
> (tens of thousands of states per second), you might be better off 
> (if security allows it) to have maybe a dozen or so stateless
> packet packet forwarding rules at the top of the ruleset.

Have any kind of feel for where the line is?  Daniel's 5000 to 100 mention 
has me wondering if we can codify the sorts of places where this can be an 
easy performance win for folks who are in high utilization scenerios.
  
> Of course, with stateless filtering rules, you'll lose things like:
> - SYN flood protection
> - TCP ISN randomization
> - LOGGING!

Why can't I log stateless rules?  It's worked on every filtering router 
and packet filter I've personally used- am I missing something significant 
here?

> "Senex semper diu dormit"

Semtex semper *boom*[1]

Paul
[1] We had a dearth of gameshow sounds in this thread ;)
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards