firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Dark Reading: Firewalls Ready for Evolutionary Shift
(ArkanoiD)
2. Re: Question on Cisco ASA's... do all the features slow it
down? (Carson Gaspar)
3. OpenBSD pf users? (Wim Lamotte)
----------------------------------------------------------------------
Message: 1
Date: Tue, 11 Dec 2007 15:59:24 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary
Shift
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20071211125924.GA8564@eltex.net>
Content-Type: text/plain; charset=koi8-r
On Mon, Dec 10, 2007 at 12:37:25PM -0500, Dave Piscitello wrote:
>
> > what you need to be able to do is to enforce valid HTTP,
>
> This would indeed be a positive step but:
>
> What is "valid HTTP"?
> Who defines it (not being naive here but it does not seem that W3C is
> the answer when tens of millions of browsers will do HTTP according to
> what the vendor releases, which becomes de facto "valid").
Yes, it is mostly w3c, i'd even say some "safe subset" of what w3c
permits us to do. Though we need a lot of heurisitcs to figure out
how to fix broken implementations in transit.
------------------------------
Message: 2
Date: Mon, 10 Dec 2007 21:42:26 -0800
From: Carson Gaspar <carson@taltos.org>
Subject: Re: [fw-wiz] Question on Cisco ASA's... do all the features
slow it down?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <475E2342.9050705@taltos.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
jacob c wrote:
> 1) Firewall performance figures from all vendors are highly overrated on
> the datasheets.
If you want to get a certain firewall company to complain to your senior
management that you're being "mean" and try and get you fired, demand 64
byte packet last-match performance numbers (as opposed to the 1500+ byte
first match numbers they'll try and give you). Also be very careful to
ask about behaviour when this limit is exceeded. It was very informative
to see which vendors were packet rate limited and which were bit rate
limited. The performance scaling with ruleset size was also interesting.
Sadly I don't know of any vendors that publish this data openly. I do
know that you can tell a good one by their reaction when you ask for it.
(And, no, I'm not making this up. But I'll refrain from naming names
since they can afford to sue me out of existence.)
--
Carson
------------------------------
Message: 3
Date: Sun, 9 Dec 2007 15:33:44 +0100
From: "Wim Lamotte" <Wim.Lamotte@UHasselt.be>
Subject: [fw-wiz] OpenBSD pf users?
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <011f01c83a70$809ed460$81dc7d20$@Lamotte@UHasselt.be>
Content-Type: text/plain; charset="us-ascii"
Hi,
I was wondering if any of the fw-wiz members is currently using the pf
firewall on OpenBSD. We are considering this platform as an alternative to
our current Checkpoint FW-1 running on a Nokia 2-node cluster, with which we
have had many problems (cluster not stable, SIP traversal problems,
SmartDefense unpredictable, high license costs, ...)
If anyone has evaluated the OpenBSD pf platform in the past, and concluded
that there were good reasons not to use it, I would also be very interested
to know what these reasons were.
Thanks,
Wim
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 20, Issue 6
***********************************************
No comments:
Post a Comment