$author = "Mikael Olsson" ; > > If you keep state, you will be vulnerable to state table overflows. > Period. The only real question is: how much work does the attacker > need to put in before it becomes painful for the networks that the > firewall is protecting? Is being able to resist a 1 Mbps stream > (~4500 pps) "Not vulnerable"? Is being able resist a 34 Mbps stream > (~150 kpps) "Not vulnerable"? Or should every single firewall > vendor report in and say "Vulnerable", and describe what the limit is? If a vendor's product description claims a capacity of throughput that can be handled by the product then that product is particulary vunerable if "overflow stream" is less then "claimed capacity". But as you point out it would be important to find the limits of all products and what happens when the state table overflows because products can always be deployed without heed to vendor information. For firewall setups that don't have a vendor or a specific product (ie. Linux, *BSD, etc.etc.) it would also be handy to know their limits and how they fail. > And, yes, ALG-only firewalls can also be overloaded. It's just a > different type of 'state'. Resource exhaustion is possible in almost any scenario, it is more important to find out when and how things fail to ensure that failure only results in a loss of connectivity and not a loss of security. marty -- You need only two tools, WD-40 and duct tape. If it doesn't move and it should, use the WD-40. If it moves and shouldn't, use the tape. _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 07:30:56 PDT