|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [FW1] How many rules can exists in fw1 ?
Vern Paxson (vern
ee.lbl.gov)
Sat, 19 Sep 1998 20:33:17 PDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Crispin Cowan: "Re: Penetration testing via shrinkware"
- Previous message: Patrick Hayden: "SOCKS"
- Next in thread: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
> ... This means the amount of
> Inspect code is probably directly proportional to the overhead the
> firewall is going to experience each time it needs to analyze traffic.
>
> In short, make it concise, since more rules may slow down your firewall.
I don't know about Inspect in particular, but there are finite-automaton
style matchers that don't significantly increase in overhead as you add
more rules. See this year's SIGCOMM proceedings for two papers on fast
matching:
High Speed Policy-based Packet Forwarding Using Efficient
Multi-dimensional Range Matching, T.V. Lakshman and D. Stiliadis
Fast Scalable Algorithms for Level Four Switching,
V. Srinivasan, George Varghese, Subash Suri, Marcel Waldvogel
Abstracts (and perhaps full papers) should be available off of:
http://www.acm.org/sigcomm/sigcomm98/
- Vern
- Next message: Crispin Cowan: "Re: Penetration testing via shrinkware"
- Previous message: Patrick Hayden: "SOCKS"
- Next in thread: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT