ScreenOS Firewalls (NOT SRX)
Reply
New User
CyberPaladin
Posts: 1
Registered: ‎07-07-2008
0

Performance Impact of multiple protocols in DI signatures

In ScreenOS 6.0 and 6.1 C&E Volume 4, Chapter 5 - Deep Inspection, there is an example on page 128 that defines a policy to allow SMTP and POP3 traffic and then applies Deep Inspection for both SMTP and POP3 critical attack signatures.

 

If I understand correctly how DI works, both SMTP and POP3 traffic will be scanned for both SMTP and POP3 signatures.

 

How much of a performance impact will this have on an SSG-550M if the firewall is needlessly scanning SMTP traffic for POP3 signatures and POP3 traffic for SMTP signatures? 

 

From an administrative point of view, it is easier to only have a single policy, but from a performance aspect, wouldn't it be better to have two policies: one for SMTP and one for POP3, and apply only SMTP DI signatures to the SMTP policy and only POP3 DI signatures to the SMTP policy? There might be some slight overhead in policy lookup because of the additional rule, but I would think this would pale in comparison to the resources wasted on the DI scanning.

 

 

The entire C&E example appears below, including a warning about mismatched protocols in DI signatures and policies.

 

The attack object groups that you reference in the DI component of a policy must

target the same service type that the policy permits. For example, if the policy

permits SMTP traffic, the attack object group must aim at attacks on SMTP traffic.

The following policy exemplifies a valid configuration:

set policy id 2 from trust to untrust any any smtp permit attack CRIT:smileyfrustrated:MTP:smileyfrustrated:IGS action

close

The next policy is erroneous because the policy permits SMTP traffic, but the attack

object group is for POP3 traffic:

set policy id 2 from trust to untrust any any smtp permit attack CRIT:smileytongue:OP3:smileyfrustrated:IGS action

close

 

The second policy is configured incorrectly and, if implemented, would cause the

security device to expend unnecessary resources inspecting SMTP traffic for POP3

attack objects that it could never find. If policy 2 permits both SMTP and POP3

traffic, you can configure the DI component to check for SMTP attack objects, POP3

attack objects, or for both.

set group service grp1

set group service grp1 add smtp

set group service grp1 add pop3

set policy id 2 from trust to untrust any any grp1 permit attack CRIT:smileyfrustrated:MTP:smileyfrustrated:IGS action

close

set policy id 2 attack CRIT:smileytongue:OP3:smileyfrustrated:IGS action close

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.