Dear All,
someone please give me their opinions....
Our rule base has been left unattended for a little while...I know the in's
and out's of creating rules and stuff like that...but I was thinking of a
reorganisation....
Is it better to put all the accept rules at the top so that these are
executed first or is it better to specify except for the clean up rule at
the end the drops first ?
On another but related note..why does FW-1 use a top down hierarchical
approach when by common consent the most effective method of sorting, which
is essentially what happens when a decision to either drop or accept a
packet is made, is binary sorting where by the firewall makes decisions
based on source and destination if source and destination is in my allowed
table allow it to the next sort level...why troll through 10 rules checking
to see everytime if the source, destination and service rule x is complied
with ?
I'm probably not explaining myself very well but I think you'd get the
jist of what I'm saying...
i.e.....
1. source 10.50.10.10 ..is it allowed to 10.10.50.20 ....answer no , drop
packet
2. source 10.50.10.10 ...is it allowed to 10.10.50.10 ....answer yes , goto
next level
3. source 10.50.10.10 ... is it allowed to use port 25 .....answer yes,
accept packet through
4. source 10.50.10.10 ... is it allowed to use port 80 ... ..answer no,
drop packet
This is kind of what I mean ..binary sorting I'm reliably informed.
The example of which I'm told is...
a b c d e f g h i j k l m n o p q r s t u v w x y z
M is the middle letter and is known...you submit letter T...the sort asks
is T greater than M answer yes...remove letters a - l...a new mid point is
known ..i.e. U and so on until all you have is T...
There may be little difference in what FW 1 does in terms of it's rule
base.... for example we have rules something like this;
1. source Any destination 10.10.50.10 service (port) 25 Accept...
this is fine but if this rule is rule 9 fw has to scan down 8 rules before
it gets to this one...if all the allows were known before the packet even
reached the firewall you could save some time ?
Is that logical...any how someone much brighter than me and can be bothered
to please explain it ;-)...
thanx ;-)
Paul Messer
PC & Network Support Manager
Taylor & Francis Group Plc
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
