Re: tcpwrapped rpcbind/portmap?

From: Cy Schubert - ITSD Open Systems Group (Cy.Schubert@uumail.gov.bc.ca)
Date: 08/29/01 

Message-Id: <200108291308.f7TD8po12176@cwsys.cwsent.com>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To: Warren Belfer <belfer@ha2mpk-mail.Eng.Sun.COM>
Subject: Re: tcpwrapped rpcbind/portmap? 
Date: Wed, 29 Aug 2001 06:08:22 -0700

I've yet to see any noticeable performance hit using IP Filter. About
5 years ago I performed some IP Filter benchmarks, as requested by
management, before implementing IP Filter. The benchmarks were
performed on a Sparc Classic LX (our Solaris testbed) using FTP file
transfers. When IP Filter was installed the FTP file transfers took on
average 3% longer than without IP Filter. There was no noticeable
increase in CPU or memory utilisation. Don't forget this was on a
Sparc Classic. On today's systems I doubt you'll see more than a 0.5%
hit on your network performance.

Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC

In message <200108221651.JAA27240@phys-ha2mpka-16.Eng.Sun.COM>, Warren
Belfer w
rites:
> A host based firewall is an important line of defense on any host,
> even on non-hostle networks. Malicious or clueless insiders often
> cause more damage than external hackers. I've been running ipfilter
> (or Sunscreen) on Solaris on every host for years and I've yet to see
> any significant performance penalties, unless your machine is already
> very close to the edge. Ipfilter does require maintaining another
> package, but any host based firewall requires that.
>
> HTH
>
> warren
>
>
> >Yes, IPfilter built as a 64-bit LKM is certainly one line of defense.
> >Concerns have been raised about the performance impact of using an
> >IPfilter LKM with Solaris, and on top of that it's an additional
> >package to maintain across all of one's systems, as opposed to an
> >incremental feature in an existing package.
> >
> >In any case, as noted by Geoff Collis in another message within this
> >thread it is sometimes desirable to have multiple layers performing the
> >same security functions (ACL checking in this case) in order to decrease
> >the probability of failure.
> >
> >-Trevor
> >
> >--
> >Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/
> >Co-Founder
> >Seven
> >510.967.4556 (work/mobile)
> >510.401.8054 (vmail/fax)
>

Relevant Pages

  • Re: Filtering Syslog-NG
    ... I setup the following destination: ... and I setup the following filter: ... you want that to match whatever syslog-ng logs for the host. ... It sounds like you have another log statement, ...
    (Debian-User)
  • Re: weird packets
    ... I recently experienced a DoS that used these ports to forge ... Had to filter the incoming packets from customer systems at their ... Had I written such a trojan, ... via the file sharing features of the host program. ...
    (comp.os.linux.security)
  • Re: Filtering Syslog-NG
    ... I need to filter out the logs from one host and have it go to a different destination. ... It sounds like you have another log statement, and that it does not exclude the data from your cuda host. ...
    (Debian-User)
  • Re: 404 handler mkicks in before ISAPI filter
    ... The value you are getting for the URL is coming straight from the client. ... It is normal that the client does not send the host name as a part of the ... You can't tell without knowing a whole lot about both how the server is ... I installed debugging code in my filter and verified I only ...
    (microsoft.public.inetserver.iis)
  • Re: Workstation Name in IP Packet
    ... Now that I think about it when you configure a host filter with a name, Ethereal will try to resolve the name first and will give you an error if it can not resolve the name. ... You could try to capture it with Ethereal. ...
    (microsoft.public.win2000.networking)