Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)

From: Paul Robertson (proberts@patriot.net)
Date: 10/16/02 

From: Paul Robertson <proberts@patriot.net>
To: Mikael Olsson <mikael.olsson@clavister.com>
Date: Wed Oct 16 12:12:03 2002

On Wed, 16 Oct 2002, Mikael Olsson wrote:

> In my experience (our stuff), ruleset lookup hits on stateless packet
> forwarding rules at the _very top_ of the ruleset is comparable to
> keeping state.

Hmmm, is this because "normal" rules aren't optimized or hashed, but state
tables were kind of pre-assumed to be a performance issue, and therefore
given performance attention at the design stage? Maybe it's just because
the state information is easy to do a boolean comparison on?

> Of course, there's also the issue of establishing new sessions.
> If you're opening and tearing down sessions at a fearful ratio
> (tens of thousands of states per second), you might be better off
> (if security allows it) to have maybe a dozen or so stateless
> packet packet forwarding rules at the top of the ruleset.

Have any kind of feel for where the line is? Daniel's 5000 to 100 mention
has me wondering if we can codify the sorts of places where this can be an
easy performance win for folks who are in high utilization scenerios.
  
> Of course, with stateless filtering rules, you'll lose things like:
> - SYN flood protection
> - TCP ISN randomization
> - LOGGING!

Why can't I log stateless rules? It's worked on every filtering router
and packet filter I've personally used- am I missing something significant
here?

> "Senex semper diu dormit"

Semtex semper *boom*[1]

Paul
[1] We had a dearth of gameshow sounds in this thread ;)
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

Relevant Pages

  • Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)
    ... ruleset lookup hits on stateless packet ... Of course, with stateless filtering rules, you'll lose things like: ...
    (Firewall-Wizards)
  • RE: FW1 External Ruleset validation tools?
    ... FW1 External Ruleset validation tools? ... > What is the easiest way to find out what rule line the supposed packet ... in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. ... technology powered by the award-winning FoundScan engine. ...
    (Pen-Test)
  • Re: iptables udp and output
    ... So, here's the ruleset, re-ordered to provide a clearer view to ... you drop all fragments past the first one of each fragmented packet. ... This is the typical problem to making too selective matches in iptables ... the host and port that were marked as destination in the outgoing UDP packet). ...
    (comp.os.linux.security)
  • Re: ipfw rules
    ... >> If the ruleset includes one or more rules with the keep-state or limit ... >> ports) of the matching packet. ... >> These dynamic rules, which have a limited lifetime, are checked at the ... > packets will be rematched before check-state. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: IPFW Statefull rules
    ... tion which start with a regular SYN packet coming from the inside of our ... Dynamic rules are checked when encountering the first ... scanning the ruleset. ... IOW, if you don't have the second line, just about any packet will trigger ...
    (comp.unix.bsd.freebsd.misc)