Re: Corporate H/N IPS

[Chris Boscolo <Chris.Boscolo () watchguard com>]

On 12/15/02 9:47 PM, "David Lang" <david.lang () digitalinsight com> wrote:
> I'm not sure I would buy that application proxy firewalls are inherently
> harder to run. 
>
> now looking at what's currently on the market I could believe that what's
> currently being sold as application proxy firewalls are slightly harder to
> run, but I think there are bigger reasons people don't run them
>
> 1. the two biggest application firewalls have been sold at least once in
> the last couple of years (Gauntlet and Raptor), leading to support
> problems during the transition (support problems that have gotten bad
> enough to drive away loyal customers)

[This borders on being a commercial, but I do have a point to make.]

WatchGuard has been selling firewalls with [transparent] application proxies
since 1996.  In terms of number of units, I think we surpass the two you
mentioned combined.  One difference with our firewall and the two you
mentioned is that we have traditionally targeted companies with small or no
IT staff and thus focused on ease-of-use.

The point I am making is that I do not believe that applications-proxy based
firewalls are necessarily more difficult to setup than SPF-based
technologies.  It really depends on what additional features in the
application proxies you want to allow the user to configure. In some cases,
like our DNS Proxy, it's a simple issue of which ICON you choose in the GUI.

> 2. the perception that they aren't 'fast enough' (people run raptor on
> windows and get > 200Mb throughput, how fast do you really need to be?)

I agree that this is a perception problem and not one of pure installation
requirements for the throughput issue, but I'm not sure you can say the same
thing about scalability.
  
There are actually two issues with traditional application proxy
technologies: speed and scalability.   For most installations, I agree with
you that the throughput is more than adequate to handle the internet pipe.
But, I cannot say the same for scalability.  Generally speaking, traditional
application proxy firewalls cannot proxy as many sessions as a simple SPF
firewall, given comparable hardware.

> 3. market share (after all if all the other companies are running SPF
> firewalls why should we buy anything else)
>
> 4. with a good application proxy firewall it's hard to say 'well, just let
> everything through for now and we'll tighten it up later'

Again, this also does not have to be true.  With a Firewall that is a
hybrid, (one that does both SPF and application proxies), it is easy to
deploy with this tactic.  Plus, you have the flexibility to turn off the
application proxy based technology if their is indeed a
performance/scalability issue.

> David Lang 

Getting back to the original thread, "what Marketing people are calling IPS
is just a repackaging of application proxy Firewalls", there is no question
that there are great similarities between the two.  It should be noted that
from a packet-flow perspective there is actually a big difference between
application proxy-based firewalls and IPS that are based on NIDS systems
that do TCP reassembly.

Unfortunately, distinctions like this barely matter when written in glossy
Marketing materials.

    -chrisb

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards