Firewall Wizards mailing list archives
Re: CERT vulnerability note VU# 539363 (fwd)
From: Paul Robertson <proberts () patriot net>
Date: Wed, 16 Oct 2002 12:24:11 -0400 (EDT)
On Wed, 16 Oct 2002, Mikael Olsson wrote:
In my experience (our stuff), ruleset lookup hits on stateless packet forwarding rules at the _very top_ of the ruleset is comparable to keeping state.
Hmmm, is this because "normal" rules aren't optimized or hashed, but state tables were kind of pre-assumed to be a performance issue, and therefore given performance attention at the design stage? Maybe it's just because the state information is easy to do a boolean comparison on?
Of course, there's also the issue of establishing new sessions. If you're opening and tearing down sessions at a fearful ratio (tens of thousands of states per second), you might be better off (if security allows it) to have maybe a dozen or so stateless packet packet forwarding rules at the top of the ruleset.
Have any kind of feel for where the line is? Daniel's 5000 to 100 mention has me wondering if we can codify the sorts of places where this can be an easy performance win for folks who are in high utilization scenerios.
Of course, with stateless filtering rules, you'll lose things like: - SYN flood protection - TCP ISN randomization - LOGGING!
Why can't I log stateless rules? It's worked on every filtering router and packet filter I've personally used- am I missing something significant here?
"Senex semper diu dormit"
Semtex semper *boom*[1] Paul [1] We had a dearth of gameshow sounds in this thread ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: CERT vulnerability note VU# 539363 (fwd) Paul D. Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Daniel Hartmeier (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Paul Robertson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- Re: CERT vulnerability note VU# 539363 (fwd) Mikael Olsson (Oct 16)
- <Possible follow-ups>
- RE: CERT vulnerability note VU# 539363 (fwd) Schouten, Diederik (Diederik) (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Stephen Gill (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Mike Frantzen (Oct 17)
- Re: CERT vulnerability note VU# 539363 (fwd) Miles Sabin (Oct 18)
- Re: CERT vulnerability note VU# 539363 (fwd) Darren Reed (Oct 22)
- Re: CERT vulnerability note VU# 539363 (fwd) Carson Gaspar (Oct 17)