Paul Cardon wrote:
>
> Yup. As Lance's experiments with FW-1 point out, current stateful
> filtering firewalls still make forwarding decisions based on the current
> packet and state saved from previous packets. Fragment and TCP stream
> reassembly are not performed.
*ahem* I beg to differ. I know of at least _ONE_ that does fragment
reassembly. (I wrote the reassembly algorithm; I ought to know).
Although granted, I obviously don't work at checkpoint :-)
> Sometimes the best decision can only be
> made by buffering the current packet and deferring the forwarding until
> additional packets are received, analyzed, reassembled, etc.
Yes. This is the correct thing to do.
> Unfortunately that would introduce latency that stateful filtering
> vendors are trying to avoid.
Yes, but this is not the normal case. The normal case is to receive
fragments and TCP segments in-sequence, which would not introduce
any extra latency. If things are arriving out-of-sequence, you'd
end up buffering things, but if you want to protect against a number
of attacks (as firewalls are supposed to do!) you have to buffer.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-66 77 636
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
