Re: PIX rule base optimization

siddhartha.jain · ‎07-10-2002

Hi,

I'd like to understand how PIX goes about applying rules on an incoming packet? Is the first rule that matches the packet description applied or does it go to the end of the rule base before making a decision?

Does PIX do any rulebase optimization before applying the rules?

Regards,

Siddhartha

yusuff · ‎07-10-2002

PIX access-lists are similar to the router i.e. top-down, if an ACL line is matched it exits the loop and perform the required action (permit/deny) depending on the ACL. Conduits on the other hand are different, it is going to match the best i.e. more specific of all.

HTH

R/Yusuf

siddhartha.jain · ‎07-10-2002

Typically, I would use 'conduit' for putting rules in the firewall. So does it mean that if my conduit rule base is not optimized by PIX and I have to manually audit my conduit rule base for performance?

yusuff · ‎07-13-2002

not sure what you mean by optimization using conduits.

What i mean is if you use conduits, the arriving packet will checked for the best match in the conduit, but if it was ACL, then it would just use top-down, as soon as it hits a macth, no further lookup.

eg;

packet arrives with a source address of 1.1.1.1

and we have following conduits

conduit deny tcp any 1.1.1.0 255.255.255.0

conduit permit tcp any host 1.1.1.1

in the above case, we will match the 2nd line, since it is best match, more specific. But if we had same scenario in ACL;

access-list 101 deny tcp 1.1.1.0 255.255.255.0 any

access-list 101 permit tcp host 1.1.1.1 any

in ACL above, we will match 1st line, and exit the loop.

Hope that clarifies. So if you conduits, more specific match will be pciked, with ACL, top-down.

HTH

R/Yusuf

siddhartha.jain · ‎07-14-2002

By optimization, what I mean is that Sonicwall puts the rules in a proper sequence even if you enter then randomly, so that the firewall does not have to go till the last rule to make a decision for every packet. This means more specific rules are put before the generic rules automatically by the firewall.

Understanding the Access Rule Hierarchy

The rule hierarchy has two basic concepts:

1. Specific rules override general rules:

An individual service is more specific than the Default service.

A single Ethernet link, such as LAN or WAN, is more specific than * (all).

A single IP address is more specific than an IP address range.

2. Equally specific Deny rules override Allow rules.

Rules are displayed in the Current Network Access Rules list from the most specific to the least specific, and rules at the top override rules listed below.

Could you also tell me what are the differences between access-lists and conduits?

TIA,

Siddhartha

yusuff · ‎07-14-2002

On PIX, rules (i.e. conduits or ACL) are appened at the end, the last line you had, they are not re-hashed or re-arranged automatically, they stay in the order you entered.

Conduits and ACL are 2 different ways to configure access i.e. permit/deny statements. Conduit is older way of doing it, and ACL is the newer way and same as that on the router. The conduit or access-list command defines what type of connection is allowed to an inside host and is always required when a lower security host is connecting to a higher security host. The conduit or access-list command is based on both port and protocol; it can be very permissive or very restrictive, depending on what the system administrator wants to achieve

More

http://www.cisco.com/warp/public/707/28.html

HTH

R/Yusuf