"Paul D. Robertson" wrote: > > At some point, you add enough state tracking information to have a thing > as complex as a stack. At that point, the benifits start to go south > (worrying about size of state tables, lifetime of entries, etc.)
This happens pretty much immediately when you start tracking state. The difference (to my mind, at least) is that a purpose-built SPF doesn't have to worry overly much about presenting a user-friendly socket layer to local applications on the machine, and doesn't have to conserve kernel memory space. This gives purpose-built stuff an edge. (And hopefully, a firewall developer is a bit more careful than the average general o/s developer, although I know that there are exceptions to that. But that reflects on proxy developers aswell, so I refuse to call this a valid point in the on-topic debate :)) > > [randomizing sequence numbers] > > If the PIX does this, we are apparently not unique in this capability. > > (However, please note that I never claimed that we were.) > > This is good though: it makes me less of a marketroid, and > > gives me more ammo to use against Paul :) > > Now I've done gone and learned something too ;) > > Is it just ISNs that get randomized, or do (either product) they also > track and rewrite all sequence numbers? Is it for both sides of the > connection (in either case)? If you modify the sequence numbers in one direction, you'd darn better keep modifying them the same way in that direction, and also the ACKs in the reverse direction, or things break horribly :) I can't answer for the PIX, but we randomize the ISNs (and consequent ACKs) in both directions (using one offset for each). Doing it that way was easier (and safer) than just doing it in one direction. 'nuf pseudo-propaganda now... now I need to go dissect your last counterargument :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com For bored sysadmins: http://lart.badf00d.org _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
