Re: [fw-wiz] Inspecting routers
From: Lorens Kockum (firewall-wizards-20021015@tagged.lorens.org)
Date: 11/26/02
- Next message: Paul D. Robertson: "RE: [fw-wiz] (no subject)"
- Previous message: Nieveler, Juergen: "RE: [fw-wiz] (no subject)"
- In reply to: Kyle R. Hofmann: "Re: [fw-wiz] Inspecting routers"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lorens Kockum <firewall-wizards-20021015@tagged.lorens.org> To: firewall-wizards@honor.icsalabs.com Date: Tue Nov 26 08:00:20 2002
On Mon, Nov 25, 2002 at 05:22:57PM -0800, Kyle R. Hofmann wrote:
> On Mon, 25 Nov 2002 18:20:49 +0100, Lorens Kockum wrote:
>
> > Other than that, stateful filtering on the external router will
> > basically protect you from some consequences of having worse TCP
> > stack implementations on the web servers than on your routers.
>
> This is not strictly true. Pure stateful filtering may still allow
> maliciously constructed TCP segments. You are thinking of packet
> normalization, which usually has stateful filtering as a prerequisite.
Yes - and I'm not sure "routers" do normalization. I should have
emphasized "some" :-)
> > It will, on the other hand, cost you. Stateful filtering is
> > more expensive than non-stateful in terms of CPU / memory /
> > performance.
>
> This is not true for all implementations, and probably not even for most.
Brain glitch re filtering/non-filtering. Sorry. (Same thing to Mikael).
-- #include <std_disclaim.h> Lorens Kockum
- Next message: Paul D. Robertson: "RE: [fw-wiz] (no subject)"
- Previous message: Nieveler, Juergen: "RE: [fw-wiz] (no subject)"
- In reply to: Kyle R. Hofmann: "Re: [fw-wiz] Inspecting routers"
- Next in thread: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
