RE: PIX vs Checkpoint vs Sonicwall vs Netscreen - comme nts?

[Crispin Harris <Harris_C () DeMorgan com au>]

> -----Original Message-----
> From: David Klein [mailto:dklein () netscreen com]
> Sent: Friday, August 02, 2002 6:32 AM
>
> This changes in ScreenOS 4.0.  The multiplicative nature of expanding
> admin-defined policies with groups into "ASIC policies" changes to an
> additive nature.
>
> So if I have a policy using a src_addr group of 6 subnets and 
> a dest_addr group of 7 subnets then it will only generate 13 instead 
> of 42 "ASIC policies".  

Hmm, Dave, I guess I just going to have to go and ask you to explain this in
a bit more detail.
My (admittedly limited) understanding of ASIC design, packet filtering
techniques and algorythm design doesn't understand how you might get 13
rules out of this.

Unless, of course, you are using fall-through, multiple-path (tree like)
rule tables.

This would mean your rules, instead of being a straight match list:
SrcIP=xxx, DstIP=yyy, SVC=sv1, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv2, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv3, Allow
SrcIP=xxx, DstIP=yyy, SVC=sv4, Allow

You now have a "Tree-like" match list:
SrcIP=xxx, go_sub_A
SrcIP=xx2, go_sub_A
SrcIP=xx3, DstIP=yyy, SVC=sv0, Allow
go_sub_A:
  DstIP=yy1, go_sub_B
  DstIP=yy2, go_sub_B
  return
go_sub_B:
  SVC=sv1, Allow
  SVC=sv2, Allow
  SVC=sv3, Allow
  return

I can see some problems in ASIC performance if the ASIC was not designed to
cope with this. (Mind you, NetScreen have some funky programmers, who knows
what sort of cute kludges might be used.)

My concern with this form a rule organisation/re-rendering is that (just
like "best-fit" rule ordering) there may be circumstances in which
unexpected combinations occur. I think that this is covered detail in Brent
Chapman's Firewalls book.

[Discussion: If the designers have, in fact, done this, then I can't see
them restricting the ASIC_policies ordering to a "per GUI-rule" basis. Thus
I would expect them to take the entire GUI ruleset and then normalise and
render as an ASIC_rule tree. -- This is what bothers me.]

> This does not require a change to the ASIC or any hardware 
> components for that matter. 

It is this comment that makes me suspect tree-like rather than first-match
rule parsing...

Dave,
        Please comment....

Kind Regards,
        Crispin Harris

----------------------------------------------------

 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------