It sounds like FW-1's "Fastpath" mode.. basically it runs it through the stateful engine until it feels "safe" then falls over to stateless.. I don't recommend using it unless one really needs the bandwidth and can tolerate the loss in security.. Cheers, Bret At 21:04 11/03/00 +0100, you wrote: > >Is it just me, or does this just sound like >plain old stateless packet filtering mixed up with >stateful inspection? > >----8<----- > >http://www.effnet.se/technology/firewall.html > >The Effnet algorithm applied on firewalls makes the performance largely >independent of the number of concurrent connections filtered through >the firewall. > >[...] > >The Effnet algorithm does >not rely on stateful inspection to achieve high throughput by caching >filtering decisions. Instead, all traffic is processed by the filtering >engine, which selectively applies stateful inspection only to traffic >where it is really needed. Therefore, it is not necessary to maintain >states for every connection through the firewall. Hence, the name is >Selective Inspection. > >[...] > >In fact, there could be millions of active connections from the Internet >to >the DMZ without affecting the number of connections from the internal >network. > >http://www.effnet.se/technology/images/firewall_pp_art.gif >[This image illustrates all the above] > >----8<----- > >Uhm... How does one go about doing things like SYN flood protection, >content inspection, etc etc etc if you're just being a plain old >packet filter? What about randomizing TCP sequence numbers - that >can't be done without keeping states? >And how the hell would the firewall go about detecting FIN+ACK >and other stealth scans and stuff if it doesn't know if the >connection is open or not? > >What does this accomplish that plain old dumb packet filtering >routers can't already do? > >Am I just being a jackarse? > >/Mike > >-- >Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK >Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 >Mobile: +46-(0)70-66 77 636 >WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED] >- >[To unsubscribe, send mail to [EMAIL PROTECTED] with >"unsubscribe firewalls" in the body of the message.] > > Technical Incursion Countermeasures [EMAIL PROTECTED] http://www.ticm.com/ voice mail/fax: (+65)98421426(UTC+8 hrs) The Insider - a e'zine on Computer security http://www.ticm.com/info/insider/index.html - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: EffNet - Odd inspection algorithm?
Technical Incursion Countermeasures Sat, 11 Mar 2000 20:28:19 -0800
- EffNet - Odd inspection algorithm? Mikael Olsson
- Technical Incursion Countermeasures
