Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CERT vulnerability note VU# 539363

From: "Stephen Gill" <gillsr () yahoo com>
Date: Wed, 16 Oct 2002 13:42:11 -0500
Hi Paul,

[re: stateless filtering]
] I find it slightly useful for UDP, but overall think the added
complexity 
] doesn't bring much in the way of protection if you carefully design
your 
] architecture.

I agree fully.  Performance gains aside, the security gained from
stateful filtering is not always that much.  Current convention would
have you think so, but there is a lot to be said for ACL's ;).  

On the other hand, I find it much easier to configure stateful rules on
a firewall especially when things like NAT are involved.  Having a
device that has a construct of established connections usually makes it
easier to configure and manage directional flows.

] The performance information that this thread has started IS
interesting, 
] and it's started me wondering about the whole "filter on a router vs. 
] firewall" thing again.

Indeed!

-- steve


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: