Re: NAI Guantlet "Best of Show Award" The Real Deal

["Dale Lancaster" <dlancaster () raptor com>]

> I'd love to understand it better, but am finding it frustrating to
> "discuss" it on this list with people who haven't read the whitepaper.

Hi Fred, I did read the whitepaper, so I do have some fully qualified
opinions (below) based on a very small amount of true technical information
found in the whitepaper concerning the adaptive proxy (most of it was laying
ground work about the history of firewalls).

> It never did look to me like reworking of other companies' old
> philosophies, whatever that means, Andy (:-)). Seems like something some of
> us have been asking for for quite a while: security mechanisms added in
> series rather than in  parallel with the proxy mechanism still in control.


If we agree that the basic "feature" being touted is something like: start a
connection at the proxy layer and then send data packets through at the
packet layer AND you agree that its done primarily to increase throughput of
the firewall - then I would agree with Andy that it is a re-work of the
CISCO PIX, Secure Computing and Raptor Firewall technologies that do exactly
as described.  I do not believe that the Checkpoint Firewall does anything
like it when using their Security Servers (proxies).

> This is not what Raptor does, as far as I can tell from talking to them,
> and it is certainly not the same thing as what FW-1 and PIX do with adding
> proxies to their firewalls, as far as I can tell.

I know what the Raptor Firewall Fastpath (RFF) does, but I don't know if it
does more or less than what Gauntlet Adaptive Proxy (GAP) does.  Based
strictly on the whitepaper, I would judge it to be very similar to the RFF
stuff and both being more than what CISCO PIX offers.  The Cut-through proxy
appears to have the actual proxy go away and not have anything more to do
with the connection, whereas GAP and RFF leave the proxy "running", but only
for control, not data transfer.

> From the whitepaper:

"With an adaptive proxy firewall, initial security examinations are still
conducted at the secure application layer, but subsequent packets can be
redirected through the network layer as soon as the security clearance has
been made (see Figure D). As a result, an adaptive proxy firewall is every
bit as secure as a standard proxy firewall, but offers the faster
performance of a stateful packet inspection product. Gauntlet, from Network
Associates is the only firewall product on the market that offers this
patent-pending adaptive proxy technology."

I would note a couple things with this paragraph:

1) "initial security examinations" - that's key.  It means that the basic
security authorization is done and nothing more after that with the packets
flowing through.  Initial to me would include: user authentication, access
rule authorization (source/destination type stuff), logging and maybe other
similar things that occur during the initial setup of a connection through
the firewall.

2) "As a result, an adapative proxy firewall is every bit as secure as a
standard proxy firewall ...".  I would claim this is simply not true.  The
real value of a standard proxy firewall is the fact that application data is
checked for known attacks, not just that a logical separation of the
networks has occured by creating a new connection for every session.  For
example (one of many), the "standard Raptor Firewall SMTP proxy" scans for
and blocks buffer overrun attacks within the SMTP data stream, looking at
email headers.  If the SMTP data packets are streamed through at the packet
layer, this is not going to be done any longer.  So, if the Gauntlet SMTP
proxy or other proxies don't do much more than do initial security checks,
then the paragraph should be modified to read "...every bit as secure as
Gaunlet's standard proxy firewall" and not group all the rest of us APFs
into that statement.

Other things from the paper:

"Security experts who have seen the new adaptive proxy technology agree that
it is fundamentally changing the dynamics of the firewall market by
eliminating the compromise that has always existed between speed and
security when choosing a firewall."

They did quote one expert, but I would claim that the dynamics changed
before the technology arrived due to other vendors already introducing
something very similar to it.  I realize its just marketing hype, but it is
in a technical white paper :-)

I read one paragraph that appeared to describe exactly what it does:

"The dynamic packet filter in an adaptive proxy firewall allows proxies to
request notification of new connections. The proxy can then examine specific
connection information and tells the dynamic packet filter what to do with
the connection. Choices include rejecting, forwarding, or absorbing to the
application level. The dynamic packet filtering rule base is automatically
adjusted by the proxy for each new connection. In addition, dynamic packet
filtering allows proxies to specify which connections should be
automatically forwarded without notification. When a connection is
terminated, the dynamic packet filter ensures security is not compromised in
future connections by automatically removing the connection rule and
requiring a new decision to be made for subsequent connections. After the
connection is terminated, the dynamic packet filter notifies the proxy and
provides summary information about the connection."

Based on this description, it really is simply the following:

1) Packets arrive at the firewall.
2) GAP looks at its state table for active connections and either sends it
up to the proxy, sends it through or rejects it
3) If its a new connection, the "standard proxy" will service the packets,
check the rule base, do using authentication, log the connection and then
send a signal down to the packet filter layer to forward all future packets
through (using a stateful connection).
4) Future packets for that connection are sent through until the last packet
is seen (TCP FIN)
5) Proxy is notified of the last packet (or is given the packet?) and it
cleans up.

The above basically describes the Raptor implementation as well.  The CISCO
implemenation would simply have the proxy go away completely.  I cannot
comment on the Secure Computing version of this capability.

> I am looking for any
> technical writeup that talks about this supposed old, already done
> technology by any other vendor. No one has come forth with anything yet.
I'm also looking for more technical writeup from Gauntlet, details really
are lacking other than pie in the sky examples of what "could" occur.  We
need more concrete, actual examples of what really happens.  I'm working
with our developers to put together a Raptor version of a technical paper
since this obviously will be compared over and over - I would like to do it
once with a paper :-).

regards,
dale
=============================================
Dale Lancaster
Director of Technical Marketing
AXENT Technologies
=============================================