Firewall Wizards mailing list archives
Re: NAI Guantlet "Best of Show Award" The Real Deal
From: "Dale Lancaster" <dlancaster () raptor com>
Date: Wed, 11 Nov 1998 21:07:08 -0600
I'd love to understand it better, but am finding it frustrating to "discuss" it on this list with people who haven't read the whitepaper.
Hi Fred, I did read the whitepaper, so I do have some fully qualified opinions (below) based on a very small amount of true technical information found in the whitepaper concerning the adaptive proxy (most of it was laying ground work about the history of firewalls).
It never did look to me like reworking of other companies' old philosophies, whatever that means, Andy (:-)). Seems like something some of us have been asking for for quite a while: security mechanisms added in series rather than in parallel with the proxy mechanism still in control.
If we agree that the basic "feature" being touted is something like: start a connection at the proxy layer and then send data packets through at the packet layer AND you agree that its done primarily to increase throughput of the firewall - then I would agree with Andy that it is a re-work of the CISCO PIX, Secure Computing and Raptor Firewall technologies that do exactly as described. I do not believe that the Checkpoint Firewall does anything like it when using their Security Servers (proxies).
This is not what Raptor does, as far as I can tell from talking to them, and it is certainly not the same thing as what FW-1 and PIX do with adding proxies to their firewalls, as far as I can tell.
I know what the Raptor Firewall Fastpath (RFF) does, but I don't know if it does more or less than what Gauntlet Adaptive Proxy (GAP) does. Based strictly on the whitepaper, I would judge it to be very similar to the RFF stuff and both being more than what CISCO PIX offers. The Cut-through proxy appears to have the actual proxy go away and not have anything more to do with the connection, whereas GAP and RFF leave the proxy "running", but only for control, not data transfer.
From the whitepaper:
"With an adaptive proxy firewall, initial security examinations are still conducted at the secure application layer, but subsequent packets can be redirected through the network layer as soon as the security clearance has been made (see Figure D). As a result, an adaptive proxy firewall is every bit as secure as a standard proxy firewall, but offers the faster performance of a stateful packet inspection product. Gauntlet, from Network Associates is the only firewall product on the market that offers this patent-pending adaptive proxy technology." I would note a couple things with this paragraph: 1) "initial security examinations" - that's key. It means that the basic security authorization is done and nothing more after that with the packets flowing through. Initial to me would include: user authentication, access rule authorization (source/destination type stuff), logging and maybe other similar things that occur during the initial setup of a connection through the firewall. 2) "As a result, an adapative proxy firewall is every bit as secure as a standard proxy firewall ...". I would claim this is simply not true. The real value of a standard proxy firewall is the fact that application data is checked for known attacks, not just that a logical separation of the networks has occured by creating a new connection for every session. For example (one of many), the "standard Raptor Firewall SMTP proxy" scans for and blocks buffer overrun attacks within the SMTP data stream, looking at email headers. If the SMTP data packets are streamed through at the packet layer, this is not going to be done any longer. So, if the Gauntlet SMTP proxy or other proxies don't do much more than do initial security checks, then the paragraph should be modified to read "...every bit as secure as Gaunlet's standard proxy firewall" and not group all the rest of us APFs into that statement. Other things from the paper: "Security experts who have seen the new adaptive proxy technology agree that it is fundamentally changing the dynamics of the firewall market by eliminating the compromise that has always existed between speed and security when choosing a firewall." They did quote one expert, but I would claim that the dynamics changed before the technology arrived due to other vendors already introducing something very similar to it. I realize its just marketing hype, but it is in a technical white paper :-) I read one paragraph that appeared to describe exactly what it does: "The dynamic packet filter in an adaptive proxy firewall allows proxies to request notification of new connections. The proxy can then examine specific connection information and tells the dynamic packet filter what to do with the connection. Choices include rejecting, forwarding, or absorbing to the application level. The dynamic packet filtering rule base is automatically adjusted by the proxy for each new connection. In addition, dynamic packet filtering allows proxies to specify which connections should be automatically forwarded without notification. When a connection is terminated, the dynamic packet filter ensures security is not compromised in future connections by automatically removing the connection rule and requiring a new decision to be made for subsequent connections. After the connection is terminated, the dynamic packet filter notifies the proxy and provides summary information about the connection." Based on this description, it really is simply the following: 1) Packets arrive at the firewall. 2) GAP looks at its state table for active connections and either sends it up to the proxy, sends it through or rejects it 3) If its a new connection, the "standard proxy" will service the packets, check the rule base, do using authentication, log the connection and then send a signal down to the packet filter layer to forward all future packets through (using a stateful connection). 4) Future packets for that connection are sent through until the last packet is seen (TCP FIN) 5) Proxy is notified of the last packet (or is given the packet?) and it cleans up. The above basically describes the Raptor implementation as well. The CISCO implemenation would simply have the proxy go away completely. I cannot comment on the Secure Computing version of this capability.
I am looking for any technical writeup that talks about this supposed old, already done technology by any other vendor. No one has come forth with anything yet.
I'm also looking for more technical writeup from Gauntlet, details really are lacking other than pie in the sky examples of what "could" occur. We need more concrete, actual examples of what really happens. I'm working with our developers to put together a Raptor version of a technical paper since this obviously will be compared over and over - I would like to do it once with a paper :-). regards, dale ============================================= Dale Lancaster Director of Technical Marketing AXENT Technologies =============================================
Current thread:
- NAI Guantlet "Best of Show Award" The Real Deal Waszak, Tom (Nov 10)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Joseph S D Yao (Nov 10)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Christopher Nicholls (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Andy Smith (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 11)
- <Possible follow-ups>
- RE: NAI Guantlet "Best of Show Award" The Real Deal Waszak, Tom (Nov 10)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Joseph S D Yao (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal HASSAN . KARIM (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal cbrenton (Nov 11)
- RE: NAI Guantlet "Best of Show Award" The Real Deal Waszak, Tom (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Dale Lancaster (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Dale Lancaster (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Paul D. Robertson (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)