07-07-2008 09:47 AM
In ScreenOS 6.0 and 6.1 C&E Volume 4, Chapter 5 - Deep Inspection, there is an example on page 128 that defines a policy to allow SMTP and POP3 traffic and then applies Deep Inspection for both SMTP and POP3 critical attack signatures.
If I understand correctly how DI works, both SMTP and POP3 traffic will be scanned for both SMTP and POP3 signatures.
How much of a performance impact will this have on an SSG-550M if the firewall is needlessly scanning SMTP traffic for POP3 signatures and POP3 traffic for SMTP signatures?
From an administrative point of view, it is easier to only have a single policy, but from a performance aspect, wouldn't it be better to have two policies: one for SMTP and one for POP3, and apply only SMTP DI signatures to the SMTP policy and only POP3 DI signatures to the SMTP policy? There might be some slight overhead in policy lookup because of the additional rule, but I would think this would pale in comparison to the resources wasted on the DI scanning.
The entire C&E example appears below, including a warning about mismatched protocols in DI signatures and policies.
The attack object groups that you reference in the DI component of a policy must
target the same service type that the policy permits. For example, if the policy
permits SMTP traffic, the attack object group must aim at attacks on SMTP traffic.
The following policy exemplifies a valid configuration:set policy id 2 from trust to untrust any any smtp permit attack CRITMTPIGS action
The next policy is erroneous because the policy permits SMTP traffic, but the attack
object group is for POP3 traffic:set policy id 2 from trust to untrust any any smtp permit attack CRITOP3IGS action
The second policy is configured incorrectly and, if implemented, would cause the
security device to expend unnecessary resources inspecting SMTP traffic for POP3
attack objects that it could never find. If policy 2 permits both SMTP and POP3
traffic, you can configure the DI component to check for SMTP attack objects, POP3
attack objects, or for both.
set group service grp1
set group service grp1 add smtp
set group service grp1 add pop3set policy id 2 from trust to untrust any any grp1 permit attack CRITMTPIGS action
set policy id 2 attack CRITOP3IGS action close