[fw-wiz] TCP syncookies - firewall or host?

FirewallWizards

[Top] [All Lists]

<prev [Date] next>

<prev [Thread] next>

[fw-wiz] TCP syncookies - firewall or host?

from [Florin Andrei]

[Permanent Link][Original]

To:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Subject:	[fw-wiz] TCP syncookies - firewall or host?
From:	Florin Andrei <florin@andrei.myip.org>
Date:	Tue, 03 Apr 2007 13:13:56 -0700
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.cybertrust.com
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Reply-to:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com
User-agent:	Thunderbird 1.5.0.10 (X11/20070302)

Speaking about SYN flood - where would you handle it, at the firewall 
level, or at the host level?

Practical example:
A PIX-515E running v7.2.2, 128MB RAM
About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU 
cores (recent AMD64 CPUs), all of them behind the firewall

syncookies can be enabled either at the firewall level, or at the host 
level. Also, all kinds of TCP parameters can be tweaked on the firewall 
(intercept and connection limits) but also on the servers via the /proc 
filesystem.

This sounds like a job for the firewall, but on the other hand all those 
servers are very fast, there's a lot of them, and usually they're mostly 
idle. So I'm very tempted to dump that task on the servers.

Pros and cons?

-- 
Florin Andrei

http://florin.myip.org/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[fw-wiz] TCP syncookies - firewall or host?, Florin Andrei <= Re: [fw-wiz] TCP syncookies - firewall or host?, Florin Andrei [fw-wiz] Firewall surveyquestion, Steve orca Re: [fw-wiz] TCP syncookies - firewall or host?, rgolodner [fw-wiz] TCP syncookies - firewall or host?, chris mr

Next by Date:	Re: [fw-wiz] OT? New compromise., Mike Barkett
Next by Thread:	Re: [fw-wiz] TCP syncookies - firewall or host?, Florin Andrei
Indexes:	[Date] [Thread] [Top] [All Lists]