RE: [fw-wiz] PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?

From: Crispin Harris (Harris_C@DeMorgan.com.au)
Date: 08/01/02


From: Crispin Harris <Harris_C@DeMorgan.com.au>
To: "'David Klein'" <dklein@netscreen.com>, firewall-wizards@honor.icsalabs.com
Date: Thu Aug  1 21:52:16 2002



> -----Original Message-----
> From: David Klein [mailto:dklein@netscreen.com]
> Sent: Friday, August 02, 2002 6:32 AM
>
> This changes in ScreenOS 4.0. The multiplicative nature of expanding
> admin-defined policies with groups into "ASIC policies" changes to an
> additive nature.
>
> So if I have a policy using a src_addr group of 6 subnets and
> a dest_addr group of 7 subnets then it will only generate 13 instead
> of 42 "ASIC policies".

Hmm, Dave, I guess I just going to have to go and ask you to explain this in
a bit more detail.
My (admittedly limited) understanding of ASIC design, packet filtering
techniques and algorythm design doesn't understand how you might get 13
rules out of this.

Unless, of course, you are using fall-through, multiple-path (tree like)
rule tables.

This would mean your rules, instead of being a straight match list:
SrcIP=xxx, DstIP=yyy, SVC=sv1, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv2, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv3, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv4, Allow

You now have a "Tree-like" match list:
SrcIP=xxx, go_sub_A
SrcIP=xx2, go_sub_A
SrcIP=xx3, DstIP=yyy, SVC=sv0, Allow
go_sub_A:
  DstIP=yy1, go_sub_B
  DstIP=yy2, go_sub_B
  return
go_sub_B:
  SVC=sv1, Allow
  SVC=sv2, Allow
  SVC=sv3, Allow
  return

I can see some problems in ASIC performance if the ASIC was not designed to
cope with this. (Mind you, NetScreen have some funky programmers, who knows
what sort of cute kludges might be used.)

My concern with this form a rule organisation/re-rendering is that (just
like "best-fit" rule ordering) there may be circumstances in which
unexpected combinations occur. I think that this is covered detail in Brent
Chapman's Firewalls book.

[Discussion: If the designers have, in fact, done this, then I can't see
them restricting the ASIC_policies ordering to a "per GUI-rule" basis. Thus
I would expect them to take the entire GUI ruleset and then normalise and
render as an ASIC_rule tree. -- This is what bothers me.]

> This does not require a change to the ASIC or any hardware
> components for that matter.

It is this comment that makes me suspect tree-like rather than first-match
rule parsing...

Dave,
        Please comment....

Kind Regards,
        Crispin Harris



----------------------------------------------------

 This correspondence is for the named person's use only. It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission. If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender. You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------



Relevant Pages

  • Re: Rheostat input -> Voltage output
    ... >>I need a wizard to design a circuit to allow a 1970 fuel gauge sender ... >>to correctly operate a 1986 fuel gauge. ... >>The rheostat reads 100 ohms to earth when the tank is empty and 13 ohms ...
    (sci.electronics.design)
  • Re: Apparently random....
    ... Your method of producing species has never been observed, ... design, it is not simply a concept. ... The human mind interprets reality conceptually, ... Words convey concepts and both must have direct correspondence to ...
    (talk.origins)
  • Re: Sending Email to distribution group in Exchange 2003
    ... This is just by design; I have not heard of any work arounds; rules; ... a user sends a email to a distribution group in which, the sender is one of ... Notes, the sender will not be copied, even if the sender is a member of the ... of the email to dist group, if he is a member of the same group? ...
    (microsoft.public.exchange.admin)
  • Re: How to get callers "this"?
    ... > parameter or design around it. ... I have a proxy class that is calling an event delegate. ... these event handler delegates take a "sender" parameter as well the ... Now, the sender parameter needs to be the actual sender, not the ...
    (microsoft.public.dotnet.framework.clr)
  • Re: header
    ... Don't use a header! ... Design the first few rows of your first page to display what you want to print. ... Please keep all correspondence within the NewsGroup, ...
    (microsoft.public.excel.misc)