Re: [fw-wiz] Proxy and Stateful together ??

From: R. DuFresne (dufresne@sysinfo.com)
Date: 11/18/02 

From: "R. DuFresne" <dufresne@sysinfo.com>
To: Bennett Todd <bet@rahul.net>
Date: Mon Nov 18 10:57:18 2002

On Mon, 18 Nov 2002, Bennett Todd wrote:

> 2002-11-16-11:05:40 Paul D. Robertson:
> > > Might park a snort on it while I was about it, too.
> >
> > Hmmm, isn't that adding a level of bloatedness that's a bit extreme?
>
> Depends on the context. If the environment supports the investment
> to have multiple boxes implementing the firewall, then this would
> certainly be one of the first choices for moving off onto a separate
> box. If not, I don't think the bloat is that bad; for small shops,
> the performance impact isn't that bad, and the code seems (in my
> experience anyway) nice and stable. It's not as tiny as it once was,
> but it's still not that bloated by modern standards anyway:-).

Though you have packets traversing two rounds of 'filtering/inspection',
making for a DOS perhaps in heavy attack streams, yes? Or am I missing
something. My first thought here was as you mention, seperation of the
two inspection produsts, if only to reduce the chances of systems
overload.

Thanks,

Ron DuFresne 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!