> ----- Original Message -----
> From: Ryan Russell [SMTP:ryanr @
sybase .
com]
> Sent: Wednesday, January 07, 1998, 9:08:30
> To: Stout, William
> Cc: glasane @
gdsconnect .
com; firewalls @
GreatCircle .
COM; macgyver @
tos .
net
> Subject: Re: RE: Stateful Inspection Anyone? Explore your options.
>
>
> I'm implying that 's a small possibility, at least as far as
> my experience goes. The possibility of state table corruption
> has been discussed as a potential problem, but since I've
> been on the list, no one has mentioned that they've seen it happen.
Adding fuel to the state-based packet filter vs. proxy firewall religion
war...
I'd like someone to verify this:
One interesting thing I've noticed is that for a high-session site,
state-based filters have a smaller established session capacity than
services it protects. The memory-resident state-table which maintains
session state can only be so big in stack shims and router-based
state-systems. I would think that disk-based state-table would have a
bit of an impact on performancenwriting/reading to disk for a for every
new packet, not helping the situation. If the webserver (farm) is
serving many established sessions with small packets, the state-based
system appears to become overwhelmed, the packet-filter locks up, and
needs to be hard-booted to recover. Theoretically state-based systems
can be DOS'd by establishing, holding, and queueing up more TCP sessions
to (protected) servers than the state-based system can handle. A proxy
server on the other hand acts like the application it protects, so no
'weirdness' occurs.
Note this is not a bandwidth issue, but an established TCP session
issue.
Bill Stout
Follow-Ups:
|
|
