[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: firewalling theory

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: FW: firewalling theory
From: twig les <twigles_(_at_)_yahoo_(_dot_)_com>
Date: Thu, 7 Feb 2002 11:26:24 -0800 (PST)

The problem with stateful that I always run into is
that it assumes a symetrical path.  I'm in the ISP
biznis and having one path out sucks.  Getting
stateful in my realm is a burden on the box already
cause of the shear traffic, but getting symetry and
redundancy is a nightmare.  Since we're talking Cisco
boxen as routers we can set up route maps and other
stufe, but they're really CPU intensive.

We finally jump sprang for some REALLY REALLY
expensive machines that do yadda yadda yadda in the
ASICs and have customers NATing through that.

Has anyone figured out something I haven't about
statefull?  Obviously the nature of it=symetry, but is
there a tool out there that would share the state
tables between two boxen for redundancy?  On Open I
could use this as a redundant stateful firewall and
sleep at night without breaking the bank.

I mentioned the boxes we are doing that with right now
are REALLY expensive right?  Try half a million each
after contracts and crap.

--- Steve Halligan <agent33_(_at_)_geeksquad_(_dot_)_com> wrote:
> This is all semantics.  I would argue that a
> "stateless"
> firewall isn't technically a firewall at all.  It is
> merely a packet filter.  Someone else may argue that
> anything that drops packets you want to be dropped
> and lets packets through you want let through is a
> firewall.
> It all depends on how you define the word
> "firewall".
> 
> If I walk into a client to look at their "firewall"
> (that someone else had installed) and it turns out
> that what they really have is a ethernet/ethernet 
> router with an access list that someone sold them 
> as a firewall, I begin my speech about how what they
> have isn't "really" a firewall.  Then I try to
> explain
> why keeping state is really important.  
> 
> I usually convince them to put in a stateful
> firewall.
> 
> -steve
> 
> ps.  Did I get the record for the number of ""'s in
> a
> post?  Please, when reading this to yourself, read
> out
> loud and make airquotes whenever you come across a 
> quoted word.  Trust me, it is fun.
> 
> > No such thing as stateless?!?  Stateless means the
> > firewall keeps no state table, instead relying on
> > source port/IP and destination source/IP.  PIX is
> many
> > times preferred because Cisco has such a vast
> monopoly
> > that they can strongarm companies into using their
> > silly little thing.  I've talked to several people
> who
> > had this problem, including an uncle.  They all
> hated
> > their PIXes.

=====
-----------------------------------------------------------
Few people think more than two or three times a year;
I have made an international reputation for myself by 
thinking once or twice a week.
                                      George Bernard Shaw
-----------------------------------------------------------
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Prev by Date: Re: Ipsec/vpn question ("Me too")
Next by Date: booting soekris net4501...
Previous by thread: restricting process info?
Next by thread: Re: firewalling theory
Index(es):
- Date
- Thread

Visit your host, monkey.org