Firewall Wizards mailing list archives
RE: TCP buffers in firewalls
From: "Stout, William" <StoutW () pios com>
Date: Fri, 12 Dec 1997 13:21:04 -0500
(Un) Fortunately it's not mine. This particular site pulled the firewall completely, and now depends on Cisco filtering (fixed part of the problem). I'll use double-click (gifserver) as an example of multiple (TCP connection-oriented) sessions to the server from an ungodly number of webpages. Being connection-oriented http/tcp gif links, once each browser establishes a connection to the server, the sessions stays up until the gif or cookie exchange is complete. Meanwhile the gif database or service app slows or is overloaded, many other attempted tcp sessions are queued up. Potentially a firewall trying to keep track of each session throws up it's hands and quits. ;) I'm rather curious if this is a problem in general, where 'excessive' current and attempted sessions (small packets) will crash a firewall. Also if firewalls which actually try to track session state are more or less vulnerable, and if it's a stack issue fixable by a simple tuning parameter. If a hacker wants to affect something remotely, he figures out what it reacts to. If he knows a firewall must 'do work' when tracking sessions, he might be able to overload it (by flooding protected systems) if there's no protection mechanism, or if it's designed to restart/shutdown on overload. This might only be an issue if public servers (http, ftp, etc) are behind a firewall, and their aggregate session capacity is higher than what the firewall can handle. Bill Stout _____________________________________ 1998 will be the year of natural disasters
----- Original Message ----- From: chuck yerkes [SMTP:Chuck () yerkes com] Reply To: chuck yerkes [SMTP:Chuck () yerkes com] Sent: Thursday, December 11, 1997, 16:10:19 To: Stout, William Cc: firewall-wizards () nfr net Subject: Re: TCP buffers in firewalls I know that in the previous major version of Checkpoint, the proxies' performance was, er, minimal. If it's your machine, try another proxy (TIS httpd-gw, squid (without caching), whatever) on the firewall. Checkpoint seems, to me, to be designed to be a screening router primarily with proxies put in as an afterthought. I do know that an Ultra with FW-1 can handle 100baseT ok. It could either be a TCP issue, but likely is a 'proxy that sucks' issue. chuck
Current thread:
- TCP buffers in firewalls Stout, William (Dec 11)
- <Possible follow-ups>
- Re: TCP buffers in firewalls chuck yerkes (Dec 11)
- Re: TCP buffers in firewalls benecke (Dec 12)
- Re: TCP buffers in firewalls chuck yerkes (Dec 12)
- Re: TCP buffers in firewalls benecke (Dec 12)
- Re: TCP buffers in firewalls Bret Watson (Dec 12)
- RE: TCP buffers in firewalls Stout, William (Dec 12)
- Re: TCP buffers in firewalls Travis Low (Dec 12)
- RE: TCP buffers in firewalls Stout, William (Dec 15)