Re: Gauntlet adaptive proxies

["Dale Lancaster" <dlancaster () raptor com>]

-----Original Message-----
From: Chris Michael <cm () rmsbus com>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Saturday, November 07, 1998 12:14 PM
Subject: Gauntlet adaptive proxies


> What do folks make of Gauntlet's adaptive proxies that got best of show at
> Networld+Interop?  As I understand it the proxies can be configured to
> switch over to packet filtering after the intitial connection has been set
> up thus preserving a lot of the security while increasing the speed.
>
> Press release is at:
> http://www.nai.com/about/news/press/1998/october/102898.asp
>
> Chris

Its not a new technology for firewalls, just new to Gauntlet.  The same
basic feature is available on CISCO PIX as "Cut-through Proxy", announced
about 18 months ago.  AXENT Raptor Firewall has had it for about 9 months,
known as "Fastpath".  For CISCO it was added to their stateful architecture
as a means to add user authentication to a connection and still do stateful
packet filtering, no significant application level filtering was being done
with the "proxy" portion.  For Raptor, done to give a performance boost.

I will grant NA the honor of doing a good marketing job on a technology that
is not new, but has been positioned against stateful packet filtering in a
positive way.  Reading the PR closely it does state they were a Finalist for
N+I Best of Show, not the actual winner of the award (unless all the
finalist are the winners, not sure how that works). I am surprised in the
announcement that they claim it "took years of research" - seems like a long
time to figure this out.

Overall, its a great feature to have for both stateful and proxy firewalls.
It allows you to authenticate a connection, do the basic logging and then,
if your security policy and comfort level allows, let's you gain the
performance advantange of not doing any content scanning of the packets that
flow through.  Once the packets start streaming through at the packet layer,
its fundamentally equivalent to what you get with stateful packet filtering
firewalls - no significant (or any) application level scanning of content,
but a stateful connection with address hiding/NAT.  So, in essence, you have
the best of both worlds with an application level firewall that has this
feature, complete proxy, application aware filtering and/or just your basic
stateful packet filtering - whatever suites your fancy.  I am not sure with
Gauntlet how much application level filtering it does, if it doesn't do much
more than poke the connection through, it might be worth sticking with the
Adaptive Proxy on all connections.

IMHO, this feature isn't worth using (a least on the Raptor Firewall) until
you need significant performance in the 25 to 30 Mbit/sec and above range.
Below that range, the application level proxies (mainly HTTP and FTP) can
keep up (obviously platform dependent), with the added benefit of signficant
protocol and application specific checks (meaing, that application specific
attacks are filtered out, not virus scanning and the like).

regards,
dale
=============================================
Dale Lancaster
Director of Technical Marketing
AXENT Technologies
=============================================


> --  <--listserv unconfuser
> {
> |  Christopher Michael
> |  RMS: information technology integrators
> |  <cm () rmsbus com>
> |  PGP key at http://rmsbus.com/cm-pgp.htm
> |  PGP fingerprint (RSA):  585A 5EAA 6A93 EF98  EF15 F79F 7B42 4B2A
> }