Re: [fw-wiz] TCP syncookies - firewall or host?
- From: rgolodner@xxxxxxxxxxxxxxxx
- Date: Wed, 04 Apr 2007 15:59:20 +0000
Why even allow the servers to see all of those options and thebn have to decide. I myself think PIX should drop it all at the external interfaces and never have to process anything further than that.
-----Original Message-----_______________________________________________
From: Florin Andrei [mailto:florin@xxxxxxxxxxxxxxx]
Sent: Tuesday, April 3, 2007 04:13 PM
To: 'Firewall Wizards Security Mailing List'
Subject: [fw-wiz] TCP syncookies - firewall or host?
Speaking about SYN flood - where would you handle it, at the firewall
level, or at the host level?
Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU
cores (recent AMD64 CPUs), all of them behind the firewall
syncookies can be enabled either at the firewall level, or at the host
level. Also, all kinds of TCP parameters can be tweaked on the firewall
(intercept and connection limits) but also on the servers via the /proc
filesystem.
This sounds like a job for the firewall, but on the other hand all those
servers are very fast, there's a lot of them, and usually they're mostly
idle. So I'm very tempted to dump that task on the servers.
Pros and cons?
--
Florin Andrei
http://florin.myip.org/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Prev by Date: Re: [fw-wiz] Pix 535 - Filtering to VLANs?
- Next by Date: Re: [fw-wiz] Pix 535 - Filtering to VLANs?
- Previous by thread: [fw-wiz] Firewall surveyquestion
- Next by thread: [fw-wiz] TCP syncookies - firewall or host?
- Index(es):
Relevant Pages
|
