Re: [fw-wiz] Proxy and Stateful together ??

From: Bennett Todd (bet@rahul.net)
Date: 11/18/02


From: Bennett Todd <bet@rahul.net>
To: "R. DuFresne" <dufresne@sysinfo.com>
Date: Mon Nov 18 11:52:01 2002


2002-11-18-10:45:14 R. DuFresne:
> On Mon, 18 Nov 2002, Bennett Todd wrote:
> [ on running snort on a bastion firewall ]
> Though you have packets traversing two rounds of 'filtering/inspection',
> making for a DOS perhaps in heavy attack streams, yes? Or am I missing
> something. My first thought here was as you mention, seperation of the
> two inspection produsts, if only to reduce the chances of systems
> overload.

As you indicate, the two wildlly different handlings of packets ---
snort, sniffing the raw stream, attempting some reassembly and URI
normalization and whatnot, and doing pattern matching against the
results; and the normal bastion host's IP stack, with some stateful
packet filtering in front of application level proxies --- offer
diversity.

If performance is an issue, yes, get more boxes.

Take a box so old and slow as to be regarded as completely unusable trash
by today's standards --- can't run Windows, can't run
Gnome+KDE+Mozilla+blechyuckgag.... Lessay, an old slow pentium with
32MB RAM. Many's the company that ran application proxy firewalls on
that grade of gear for a T1, and had no firewall performance
problems even when that T1 was loaded. Snort wants a bit more RAM
than that, at least if you have the conversation and protscan2
preprocessors enabled, but no more CPU.

If you've got better than 100Mbps of connectivity to the internet,
and you routinely saturate it, then you'll be needing to have
multiple big fast boxes to completely serve that traffic --- but
they'll still cost less than one months telecomms charge.

While I didn't say so explicitly, I kinda figured that the initial
question that launched this thread --- hybrid firewall with
stateful packet filtering and application proxies on one box --- was
motivated by a small shop, for which a big industrial scale firewall
plant wasn't justified. It's easy to fling enough hardware at small
problems to prevent performance from being a problem.

-Bennett






Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
    (comp.security.firewalls)
  • Re: port 80 is open
    ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
    (comp.security.firewalls)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)