|
Why even allow the servers to see all of those options and thebn have to decide. I myself think PIX should drop it all at the external interfaces and never have to process anything further than that. >-----Original Message----- >From: Florin Andrei [mailto:florin@andrei.myip.org] >Sent: Tuesday, April 3, 2007 04:13 PM >To: 'Firewall Wizards Security Mailing List' >Subject: [fw-wiz] TCP syncookies - firewall or host? > >Speaking about SYN flood - where would you handle it, at the firewall >level, or at the host level? > >Practical example: >A PIX-515E running v7.2.2, 128MB RAM >About 16 servers running Red Hat Enterprise 4, 8 GB RAM each, 4 CPU >cores (recent AMD64 CPUs), all of them behind the firewall > >syncookies can be enabled either at the firewall level, or at the host >level. Also, all kinds of TCP parameters can be tweaked on the firewall >(intercept and connection limits) but also on the servers via the /proc >filesystem. > >This sounds like a job for the firewall, but on the other hand all those >servers are very fast, there's a lot of them, and usually they're mostly >idle. So I'm very tempted to dump that task on the servers. > >Pros and cons? > >-- >Florin Andrei > >http://florin.myip.org/ >_______________________________________________ >firewall-wizards mailing list >firewall-wizards@listserv.icsalabs.com >https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizards@listserv.icsalabs.com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [fw-wiz] Pix 535 - Filtering to VLANs?, Jason Gervia |
|---|---|
| Next by Date: | Re: [fw-wiz] Pix 535 - Filtering to VLANs?, stursa |
| Previous by Thread: | [fw-wiz] Firewall surveyquestion, Steve orca |
| Next by Thread: | [fw-wiz] TCP syncookies - firewall or host?, chris mr |
| Indexes: | [Date] [Thread] [Top] [All Lists] |