Re: Stateful Inspection

From: x y (jamescagney90210@excite.com)
Date: 05/16/02 

From: "x y" <jamescagney90210@excite.com>
Date: Wed, 15 May 2002 23:54:43 -0400

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:abuu6h$d9o$1@news.shlink.de...
> Also, by maintaining information about previous packets, stateful
> inspection firewalls can quickly verify that packets meet the criteria
> for authorized traffic, making them inherently fast.
> </quote>
>
> Simply wrong, stateful packet filters are slower than non stateful
> ones, because the rules change dynamically. Therefore they consume more
> memory and CPU time than non stateful packet filters.

I guess it may be true to say that stateful firewalls may require more
hardware to get the same performance as packet filtering routers, but that's
not exactly the same as saying that all stateful firewalls are slower than
all packet filtering routers. I think it is not entirely irrelevant to
mention here that you could choose a stateful firewall with faster hardware
or an ASIC chip to get a faster solution than a packet filtering router with
slower hardware. It's also not entirely possible to make comparisons when
different stateful firewalls like FW-1 and BSD for example have disparate
performance rates to begin with.

And then there are hybrid solutions like Microsoft ISA server that are both
proxy and stateful, in other words it may not exactly be true to say that no
stateful firewall can inspect packet content. And then there are stateful
firewalls like FW-1 that use CVP or other add-in modules to check content.
It may not exactly be the stateful firewall itself that is checking the
content, but also it is not exactly true to deduce that you cannot have
content inspection if you choose a stateful firewall. It may be quibbling,
but Sygate, BlackIce, Checkpoint, Netgear, Symantec, Netscreen, Cisco and
Cisco PIX are all stateful firewalls that I understand can also check
content.

Relevant Pages

  • Re: Stateful Inspection
    ... stateful packet filters are slower than non stateful ... > memory and CPU time than non stateful packet filters. ... I guess it may be true to say that stateful firewalls may require more ... hardware to get the same performance as packet filtering routers, ...
    (comp.security.firewalls)
  • Re: Stateful Inspection
    ... >> A stateful firewall can inspect the contents of the packets as well. ... > VisNetic Firewall falls into a class of firewalls called Stateful ... Stateful inspection firewalls overcome the ...
    (comp.security.firewalls)
  • Re: Stateful Inspection
    ... >> A stateful firewall can inspect the contents of the packets as well. ... > VisNetic Firewall falls into a class of firewalls called Stateful ... Stateful inspection firewalls overcome the ...
    (comp.security.firewalls)
  • Re: pppoe, cant ping tun0, ipfnat ftp proxy "doesnt work"
    ... > But I noticed that, although you use ipnat(8), nat is also enabled in your ... especially on the way packets flow through the ... firewalls, so I dropped back and enabled in in ppp. ... Combining stateful rules and dummynet in ipfwwas interesting. ...
    (freebsd-net)
  • Re: Firewalls purchase research
    ... Hardware firewalls are nothing but a motherboard, ... > I will take my ISA server running layer 7 inspection on a Proliant dual ... The stuff most basic "stateful" ...
    (microsoft.public.security)