Hi Ben,
At 09:35 08/08/00 +0930, Ben Nagy wrote:
>I'm going to go out on a limb here and guess that it's only the fwtk and
>directly derived ALGs that do this. You'd lose too much speed for this to be
>a feature that "modern" firewalls would support. Speed is more important
>than security, remember?
this is a hard proposition. I'd say that both are important, and that this
is yet
another tradeoff problem. once again, the infamous "performance vs robustness"
tradeoff. however, we probably agree on the following facts:
- there is no point in reducing perf if the gain in security is not
significant (ether in the
absolute or regarding a particular situation).
- there is no point in sacrificing security just to get more perf.
the exterme examples are: by disconnecting from the net, network security gets
maximized, the perfs go to 0, but the only important thing is that you are
disconnected.
On the other hand, if you open all traffic on your router, throw away any
firewall, then
the perfs get higher, but not necesarily for long.
>Actually, even with "old" proxies, the only proxies that I thought did this
>were FTP and SMTP - both of which can stand a reasonable amount of initial
>latency. It would certainly be stupid with HTTP.
well, all fwtk proxies used to do this. otherwise, it is not easy to allow
using hostnames
in the config file (which is).
>[snip]
>The main intent behind the double lookups (as I understood it) was to catch
>hosts that were 'suspicious' on the grounds that suspicious hosts were more
>likely to be up to no good. In other words, the DNS names were not used to
>allow / deny traffic based on known-bad or known-good names. The double
>lookup afforded a heuristic to filter out any incoming traffic as
>'suspicious' based on a simple test.
I agree. but I find that this heuristic is quite
While I am in, you cannot download the fwtk if your IP address is not well
configured
in the DNS (double lookup I think).
so, we are (at least) two who believe the DNS lookups are unnecessary.
anyone else?
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
