Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 10/16/02 

From: Mikael Olsson <mikael.olsson@clavister.com>
To: daniel@benzedrine.cx
Date: Wed Oct 16 12:02:45 2002

"Daniel Hartmeier" wrote:
>
> I think most people (falsely) assume that filtering statelessly is
> faster with their rule sets. Even simple real-life filter policies put
> create less load on the firewall when state is being kept.

Just to corroborate: I agree 100% with this.

In my experience (our stuff), ruleset lookup hits on stateless packet
forwarding rules at the _very top_ of the ruleset is comparable to
keeping state.

Anything below the very top will start showing differences, and
for someone that needs "maximum throughput", hits on rules 100+
can be "painful".

We should have PDFs that show the exact ratios for our gear lying around
here somewhere, but people have left for the day and I can't seem to
find them. :/

Of course, there's also the issue of establishing new sessions.
If you're opening and tearing down sessions at a fearful ratio
(tens of thousands of states per second), you might be better off
(if security allows it) to have maybe a dozen or so stateless
packet packet forwarding rules at the top of the ruleset.

Of course, with stateless filtering rules, you'll lose things like:
- SYN flood protection
- TCP ISN randomization
- LOGGING! 

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
"Senex semper diu dormit"

Relevant Pages