In some mail from Mike Shaver, sie said:
>
> Thus spake Ryan Russell/SYBASE:
> > This is because
> > , by their nature, many of them store a signifcant portion of the document
> > on it's way through, and hence, would make it easier to run through
> > some script on the proxy server.
>
> I don't think that's necessarily `by their nature', although I'll
> concede that the vast majority of AGs deal with data with larger
> granularity than the vast majority of SPFs.
Dealing with a 1MB e-mail is going to be difficult, in kernel space.
> > This would also be why they would
> > tend to be slower.
>
> I think it's because of:
> - kernel->user->kernel data copying, since most AGs run in user space.
> - doing more complex analysis/manipulation of the data, which
> obviously takes more CPU time. (This includes the AG's TCP, if any.)
I think the later more than the first (re. zero-copy TCP at Usenix '96
having noticable but not huge, performance gains), especially if they're
putting stuff on disk (I guess virtual memory must be a consideration
here too).
> Warning: ports are not always related to services/protocols in a
> 1-to-1 way. Current SPFs only really look at port and protocol info,
> so you can easily end up letting something through that wasn't
> intended, if the port->application mapping isn't what you think it is.
FW-1 is a bit more advanced: it snoops RPC traffic and learns about
RPC services that way rather than any configuration file.
Darren
Follow-Ups:
References:
|
|
