>I contend that a firewall passing
>or dropping packets at the IP layer has higher throughput because it
>has less work to do for each packet, and it can do all of the
>processing for the packet at once. An application layer firewall
>may wind up with a separate process for each proxy connection.
I'm interested in what people think about all of this, long term.
The way I see it, you _can't_ do strong access control at the
Strong access control will always depend on checking more information,
keeping more connection state, and at least some crypto checks. That's
not going to happen for free. If you try to redefine packets to contain
more security info, they stop being packets in the traditional sense
and start becoming these complicated vessels of arcane knowledge.
And it no longer fits within a single packet.
BTW, Sidewinder uses one process to handle multiple proxied connections.
com roseville, minnesota