At 16:14 02/08/00 -0400, Paul D. Robertson wrote:
>If you're filtering, you really don't want that to hit your kernel- that's
>expensive context-switch wise. Also, different stacks reassemble
>differently (hence the "fool the IDS" games that have been swelling up for
>a while.)
The argument is somewhat misleading. it implies that proxy based firewalls
are stupid beats that destroy performance, and I don't think you were
meaning this.
yes, if you're _just_ filtering, you'd like to avoid perf reduction, so you
avoid
reassembling packets (this is an IP spec after all, only the final host
should reassemble) and put some more or less effective checks.
However, there are so many traps as you said that many vendors should
simply consider the "stupid" reassembly and take more time to implement
an efficient way. get fast if you can, be get safe.
Note that when you do not reassemble, you are considering that unless a bad
fragment
is detected, you let frags go through. This is safe if the "protected"
hosts react correctly
to incomplete frags. I mean, if a stupid OS decides to panic if a fragment
with offset XX
is received and contains some specific data, then you'd better reduce the
perf by reassembly.
if all OSes used to handle fragments correctly, then there are far less
things to check
on a firewall, but unfortunately, OSes are not (all) that kind (I won't
cite microsoft as we've seen
stupid frag attacks succeed on more unixy systems).
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
