Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Dave Piscitello <dave () corecom com>
Date: Sun, 25 Nov 2007 13:20:50 -0500
I believe this goes into the "proxies rawk" folder alongside my posts.I really would like to see a thorough analysis of the performance of an application layer policy enforcement using strictly stateful inspection techniques versus the same policy enforced using strictly proxy techniques. I am not certain this could be done using any COTS firewalls today b/c the implementations have blurred the distinctions (my opinion). But perhaps that's good b/c people are paying less attention to the rhetoric and posturing than they did 10 years ago.
Patrick M. Hausen wrote:
Hello, On Fri, Nov 23, 2007 at 05:07:23PM -0500, Paul D. Robertson wrote:On Mon, 19 Nov 2007, Paul Melson wrote:But if my experience with Internet-enabled software vendors is anywhere near common, nobody's enablign the proxies.and has a miniscule share of the total firewall market. Of course, Cisco, Check Point, and most of their competitors have proxies. Proxy firewalls are dead. Long live proxy firewalls.Absolutely correct. Because at least for one of these vendors the proxies are riddled with bugs, i.e. protocol violations or, to the customer, arbitrary restrictions, and, additionally, performance plummets faster than <insert favorite comparison>. These proxies are (IMHO) just a check item for people who buy products based on check lists. You need to design a firewall for use of proxies as your main line of defense from the ground up. Fortunately current CPU speeds and RAM capacities show the "stateful packet filters are faster" argument not to be true anymore. At least not if implemented on general purpose hardware. The product with the "miniscule share of the total firewall market" can easily support Gigabit speeds. Of course I'm biased, but I happen to have a customer with about 14.000 seats running both Checkpoint and Secure Computing. You should talk to their IT staff. They introduced Checkpoint firewalls when your "high end" ALG was Gauntlet on a Sun E450. A current Sidewinder runs circles around these boxes. With much more thorough protocol inspection than Gauntlet ever had. Sorry, ^inspection^enforcement. ;-) Kind regards, Patrick M. Hausen Leiter Netzwerke und Sicherheit
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 25)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)