Simon,
Fastmode disables a lot of the stateful security checks so that
processing can be done faster. This can create security holes because
you are no longer maintaining stateful HTTP connections. In other words
this allows people to send in unsolicited ACK packets, which allows them
to fully port scan machines that you've allowed fastmode service to
(this was also discussed at Black Hat last week).
I never use fastmode, so I'm not precisely sure what aspects of the rule
processing it skips, but it make sense that "account" tracking wouldn't
work, since in order to do so, you must maintain much MORE state
information, and in actuality, you're maintaining much LESS with
fastmode turned on.
Hope this helps!
Jason
Simon Guo wrote:
>
> When having an consistancy check, I get the message:"Account is not allowed
> to http fast mode".
>
> How is the fast mode works? How is the account tracking works? why the
> account tracking is not allowed to http fast mode?
>
> Simon
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
