RE: Gauntlet adaptive proxies

[ICMan <shane_mason () securecomputing com>]

This is also something that has been with Secure Computing for about 2 1/2 
years.  Secure Computing calls it socket mating, which was first introduced 
in the Borderware product, and the technology has been adapted into 
Sidewinder.

ICMan

On Saturday, 07 November, 1998 3:07 PM, Dale Lancaster 
[SMTP:dlancaster () raptor com] wrote:
> -----Original Message-----
> From: Chris Michael <cm () rmsbus com>
> To: firewall-wizards () nfr net <firewall-wizards () nfr net>
> Date: Saturday, November 07, 1998 12:14 PM
> Subject: Gauntlet adaptive proxies
>
>
> > What do folks make of Gauntlet's adaptive proxies that got best of show 
at
> > Networld+Interop?  As I understand it the proxies can be configured to
> > switch over to packet filtering after the intitial connection has been 
set
> > up thus preserving a lot of the security while increasing the speed.
> >
> > Press release is at:
> > http://www.nai.com/about/news/press/1998/october/102898.asp
> >
> > Chris
>
> Its not a new technology for firewalls, just new to Gauntlet.  The same
> basic feature is available on CISCO PIX as "Cut-through Proxy", announced
> about 18 months ago.  AXENT Raptor Firewall has had it for about 9 
months,
> known as "Fastpath".  For CISCO it was added to their stateful 
architecture
> as a means to add user authentication to a connection and still do 
stateful
> packet filtering, no significant application level filtering was being 
done
> with the "proxy" portion.  For Raptor, done to give a performance boost.
>
> I will grant NA the honor of doing a good marketing job on a technology 
that
> is not new, but has been positioned against stateful packet filtering in 
a
> positive way.  Reading the PR closely it does state they were a Finalist 
for
> N+I Best of Show, not the actual winner of the award (unless all the
> finalist are the winners, not sure how that works). I am surprised in the
> announcement that they claim it "took years of research" - seems like a 
long
> time to figure this out.
>
> Overall, its a great feature to have for both stateful and proxy 
firewalls.
> It allows you to authenticate a connection, do the basic logging and 
then,
> if your security policy and comfort level allows, let's you gain the
> performance advantange of not doing any content scanning of the packets 
that
> flow through.  Once the packets start streaming through at the packet 
layer,
> its fundamentally equivalent to what you get with stateful packet 
filtering
> firewalls - no significant (or any) application level scanning of 
content,
> but a stateful connection with address hiding/NAT.  So, in essence, you 
have
> the best of both worlds with an application level firewall that has this
> feature, complete proxy, application aware filtering and/or just your 
basic
> stateful packet filtering - whatever suites your fancy.  I am not sure 
with
> Gauntlet how much application level filtering it does, if it doesn't do 
much
> more than poke the connection through, it might be worth sticking with 
the
> Adaptive Proxy on all connections.
>
> IMHO, this feature isn't worth using (a least on the Raptor Firewall) 
until
> you need significant performance in the 25 to 30 Mbit/sec and above 
range.
> Below that range, the application level proxies (mainly HTTP and FTP) can
> keep up (obviously platform dependent), with the added benefit of 
signficant
> protocol and application specific checks (meaing, that application 
specific
> attacks are filtered out, not virus scanning and the like).
>
> regards,
> dale
> =============================================
> Dale Lancaster
> Director of Technical Marketing
> AXENT Technologies
> =============================================
>
>
> > --  <--listserv unconfuser
> > {
> > |  Christopher Michael
> > |  RMS: information technology integrators
> > |  <cm () rmsbus com>
> > |  PGP key at http://rmsbus.com/cm-pgp.htm
> > |  PGP fingerprint (RSA):  585A 5EAA 6A93 EF98  EF15 F79F 7B42 4B2A
> > }