Is it just me, or does this just sound like
plain old stateless packet filtering mixed up with
stateful inspection?
----8<-----
http://www.effnet.se/technology/firewall.html
The Effnet algorithm applied on firewalls makes the performance largely
independent of the number of concurrent connections filtered through
the firewall.
[...]
The Effnet algorithm does
not rely on stateful inspection to achieve high throughput by caching
filtering decisions. Instead, all traffic is processed by the filtering
engine, which selectively applies stateful inspection only to traffic
where it is really needed. Therefore, it is not necessary to maintain
states for every connection through the firewall. Hence, the name is
Selective Inspection.
[...]
In fact, there could be millions of active connections from the Internet
to
the DMZ without affecting the number of connections from the internal
network.
http://www.effnet.se/technology/images/firewall_pp_art.gif
[This image illustrates all the above]
----8<-----
Uhm... How does one go about doing things like SYN flood protection,
content inspection, etc etc etc if you're just being a plain old
packet filter? What about randomizing TCP sequence numbers - that
can't be done without keeping states?
And how the hell would the firewall go about detecting FIN+ACK
and other stealth scans and stuff if it doesn't know if the
connection is open or not?
What does this accomplish that plain old dumb packet filtering
routers can't already do?
Am I just being a jackarse?
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
