At 02:39 AM 4/16/2002, Schouten, Diederik (Diederik) wrote: > > <Disclaimer><Speculation> In a task-specific bridging firewall > > a vendor could have a per-port CAM table which included the > > local MAC addresses. That way each port could filter the local > > traffic (based on dst MAC address) before forwarding it to the > > firewall core, which would greatly reduce the amount of > > processing power required by the firewall. Granted, it would > > also result in a really bad worst-case scenario, but it would not > > surprise me if a vendor were to use this design. </Speculation> > >Bad worst-case scenario? >A learning bridge works exactly like that... overloading the >bridges MAC table can be countered.
I imagine more that the manufacturer would be tempted to put a slow firewall core in a bridging firewall on the assumption that much/most of the traffic would not need processing. In a worst-case scenario all traffic would need to be processed by the firewall core, which, if indeed slow, could cause a serious bottleneck. In short, it's a good design which could tempt a manufacturer to use a bad (performance) design. Has it been discussed yet whether it would be possible to misdirect frames on a bridging firewall by forging source MAC addresses and poisoning (as opposed to overwhelming) the forwarding table? Regards (und freundlichen Gruessen) -Jim _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
