On Thu, 17 Jan 2002, Michael Janke wrote:
[SNIP]
>
> I don't think that CBAC itself adds much to the processor load, but because CBAC
> works by adding an ACL entry for every TCP/UDP session, the ACL can grow to be
> quite long. We had a site decide to teach their students how to port scan. Each
> student lit off their own nmap session & pointed it at a remote site. That
> created enough ACL entries to overload a 2600.
In past discussions on this, it has been strongly suggested that CBAC is
costly, on mem and CPU,m and that reflexsive ACL's might be a better
choice of options. Chris Breton and Ben Nagy might beable to add to
this...
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
