Screen OS

Hi Everyone,

Just a simple question,but always confused to me,i'm not clear.Anyone can giveme an answer?

I'm a QA engineer for netscreen platform more than 2 yeas in common regression testing.

Thans inadvance 

Traditionally a router connects networks at the IP level (layer 3). A firewall can do the same but adds security policies to the mix.

I don't know that the terms really matter so much anymore as you can have a router that performs stateful security functions, firewalls that can route, and switches that can perform routing duties.

I guess where one would break out that this device is a router, that device is a firewall, etc comes with scale.

For example, one can collapse our border router and SSG firewall into a new SRX firewall chassis that we are deploying. We have deployed EX switches that work as both switch and router. We have deployed SRX firewalls that perform security duties, routing, and switch duties.

At a certain traffic load it makes sense to either purchase larger devices and at an even larger load it makes sense to scale the router being a routing device, the firewall being a security device, etc.

For example, an EX2200 can do some routing but you may not want to use it for full on BGP peering. A scenario like that might use a larger EX switch or you would go for a J/M/etc actual router.

I would say the primary difference between a router and a firewall is the state table.

Routers process packets as they arrive and perform the rule match and either drop or forward.  Then the next packet starts all over again.  Routers have no memory of any connections/sessions/flows.

Firewalls maintain a state table of some sort and know about "flows" or "connections" between two devices.  When the packet first arrives more processing is done to create that first session.  Subsequent packets are then just matched to this existing session/flow/connection and permitted through. 

So the first packet process is much longer than the subsequent ones.

Firewalls then have a size limit to the number of active sessions they can hold in memory and this is one of the statistics we watch as we size the firewall to the job.

And with the help of the 'State Table' mentioned by Steve, the firewall can keep track of the complete stream of packet transactions between the  client and server.

By this, extended threats, which will not be evident while scanning a single packet can be identified. Some examples are TCP syn-check, sequence number check, re-assembly of fragmented packets for inspection etc.,

Hi Gokul

Thanks for u help.

Here is another concept:transaction&&session.------->>what's the difference between them?

In my understanding:sessions just record the simple src&dst ip address,ports,policy .etc

                               transactions record all the actions when packets received in box till then packets been sended out 

I heared in SRX platform,a new mechanism called transoptions,this functions is the same as transactions?

Regards

Lau

Hi Lau,

Are you reffering to Traceoptions IN SRX ? Because that is something to do with debugging of the flow ..

Regards

Jubin 

Hi Jubin,

Just as debug function in ScreenOS?

Regards

Lau

Lau ,

You are correct . Just as a Screen-os debug .

Traceoption has nothing do with state table or session .

Regards

Jubin 

Hi spuluka,

I think the concept of "session" can appear anywhere,even in router.i think there have special definitions in router?right?

Regards

Lau