[SUMM] tcp wrappers and performance from Susan Rodriguez on 1998-09-19 (tru64-unix-managers)

From: Susan Rodriguez <SUSROD_at_HBSI.COM>
Date: Fri, 18 Sep 1998 10:25:07 -0700

Thanks for the responses. General consensus is that tcp wrappers make
little to no impact on performance of network traffic / apps. One
suggestion that I intend to look into is installing the identd daemon
(see posted messaged below).

susrod_at_hbsi.com

*****************************************
ORIGINAL POST:

----------
From: Susan Rodriguez
Sent: Friday, September 18, 1998 8:33 AM
To: 'alpha-osf-managers_at_ornl.gov'
Subject: [Q] - tcp wrappers and performance

We are looking at installing tcp wrappers for network security reasons.
My network guru is concerned about the impact the wrappers will have on
the performance of the network and network services.

I would appreciate comments, experiences, advice from anyone who is
well-versed in administering systems with tcp wrappers installed.

Thanks,

susrod_at_hbsi.com

******************************************
RESPONSES FROM THE LIST:

----------
From: Arrigo Triulzi[SMTP:arrigo_at_albourne.com]
Sent: Friday, September 18, 1998 8:59 AM
To: Susan Rodriguez
Subject: Re: [Q] - tcp wrappers and performance

Susan Rodriguez scripsit:
|We are looking at installing tcp wrappers for network security reasons.
|My network guru is concerned about the impact the wrappers will have on
|the performance of the network and network services.

It depends on how you use them. Normally a connection to a TCP-Wrapped
machine will cause:

1) an ident query to the remote machine to identify the caller
2) a finger request (if required) to further log the connection

otherwise everything else is as normal. You could mention that if he
is using a recent version of sendmail _each_ connection to or from his
machine will make use of ident.

If you correctly install the identd daemon on all your boxes (you will
have to download and compile it) then the daemon will reply and you
will not have any timeout problems (not real problems of course,
simply the connection seems to "hang" for a while, this is tunable in
TCP-Wrappers). I would strongly recommend installing identd.

My networks all run TCP-Wrappers and I can assure you that there is no
appreciable slowdown in the network.

Ciao,

Arrigo

-- 
Arrigo Triulzi <arrigo_at_albourne.com> - Systems Director
Albourne Partners Ltd. - London, UK
---------------------------------
----------
From: 	Everett Doner[SMTP:everett.doner_at_oberlin.edu]
Reply To: 	everett.doner_at_oberlin.edu
Sent: 	Friday, September 18, 1998 8:55 AM
To: 	Susan Rodriguez
Subject: 	Re: [Q] - tcp wrappers and performance
Susan:
We installed fairly restrictive wrappers on most of our systems after a
hacking incident in February. We log attempts from outside our
acceptible
IP/Domains and have email sent to the sysadmins and network admins.
While
there aren't many attempts per day (+ - 25) we have seen no performance
decrease whatsover on the network due to the wrappers.
Hope this helps,
Everett
Susan Rodriguez wrote:
> 
> We are looking at installing tcp wrappers for network security
reasons.
> My network guru is concerned about the impact the wrappers will have
on
> the performance of the network and network services.
> 
> I would appreciate comments, experiences, advice from anyone who is
> well-versed in administering systems with tcp wrappers installed.
> 
> Thanks,
> 
> susrod_at_hbsi.com
-- 
--------------------------------
Everett L. Doner
Associate SysManager; Webmaster
Oberlin College
(440) 775-6561
edoner_at_www.oberlin.edu
--------------------------------
 -----------------------------------------------------------
----------
From: 	Kevin Oberman[SMTP:oberman_at_es.net]
Sent: 	Friday, September 18, 1998 8:49 AM
To: 	Susan Rodriguez
Subject: 	Re: [Q] - tcp wrappers and performance 
Since TCP wrappers validate connections, they only cause a slight
performance hit when a connection is established and none after that.
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman_at_es.net			Phone: +1 510 486-8634
------------------------------------------------------------------------
----
----------
From: 	Mike Iglesias[SMTP:iglesias_at_draco.acs.uci.edu]
Sent: 	Friday, September 18, 1998 8:46 AM
To: 	Susan Rodriguez
Subject: 	Re: [Q] - tcp wrappers and performance 
We don't notice any performance issues with the tcp wrappers, especially
with the faster systems.  Even if there was a small, barely significant
performance hit, it's worth it.
Mike

Received on Fri Sep 18 1998 - 17:25:15 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:38 NZDT