Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall)

[David Lang <david.lang () digitalinsight com>]

also as far as the 'ALG are to slow' argument goes, it all depends on what
you define as 'slow'. A single ALG running under Windows on x86 hardware
can get you ~200Mb of throughput.

also if you are willing to consider load balancing multiple ALG firewalls
you can fairly quickly reach Gig-E wire speeds. In one case I am looking
at I can discount the vendors throughput claims by half on equipment due
to be available Q1 2003 and you are still looking at handleing almost a
gig of traffic with 4 boxes in a N+1 loadbalanced config (and this is not
available now due to vendor integration, equivalent hardware is available
today).

yes they do add additional latency and it is more of a pain to manage
several ALG boxes then one SPF, but processor speed has been climbing MUCH
faster then wire speed for quite a while.

think about what processor speeds were like back when 10Mb shared ethernet
was considered fast vs what you can buy today (and what is expected out
over the next year)

no I'm not saying tha CNN.com with it's 3+Gb of bandwidth should be
running ALG, but it's getting close to the point where that is a decision
they can make based on the added security vs the added complexity and
latency that would be needed to manage the dozen or so firewalls to
protect their several hundred webservers.

David Lang

On Tue, 29 Oct 2002, Mikael Olsson wrote:

> Date: Tue, 29 Oct 2002 15:55:16 +0100
> From: Mikael Olsson <mikael.olsson () clavister com>
> To: Patrick M. Hausen <hausen () punkt de>
> Cc: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] ALGs or SPFs? Wee,
>      again! :)  (Was: re: Proverbial  appliance vs software based firewall)
>
>
> "Patrick M. Hausen" wrote:
> > [...]
> > That was the entire point. In all SPF implementations I've seen so
> > far the packets don't pass the OS's TCP implementation.
> > [...]
> > So why use SPF at all?
>
> Ah, yes, this is the whole point of SPFs. If the OS starts rebuilding
> packets from scratch, the performance penalty is high enough that,
> for high performance scenarios, you arrive at "Sorry, too slow.
> Gotta go for router ACLs instead. Shit."
>                                   ^^^^ content filter bait
>
> There's also the whole flexibility issue here. If your ALG isn't
> smart enough to forward stuff that you absolutely need to get
> through, you're again stuck with router ACLs.
>
>
> This is not to say that you shouldn't combine SPFs and ALGs.
> On the contrary.  An SPF is a tool. An ALG is a tool. They work
> fine in tandem, each complementing the other's traits.
>
> My preferred firewall (as used in the original sense of the word)
> setup is a combination of an SPF box and one or more ALG boxes,
> where I can mix and match as needed, per security zone.
>
> I personally don't like putting the ALG logic on the "main traffic
> control unit"; I'd rather have that off to one side and apply immutable
> controls and alarms in the SPF box.  This is, of course, assuming that
> the SPF box can't be circumvented, which has indeed been proven possible
> to do when said box is either too "smart" and/or too dumb.
> ... but that's implementation specifics :)
>
>
> /Mike, opinionated mofo.
>                    ^^^^ more filter bait
> --
> Mikael Olsson, Clavister AB
> Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
> Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
> Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
>
> "Senex semper diu dormit"
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards