Firewall Wizards mailing list archives
Re: Gauntlet adaptive proxies
From: Frederick M Avolio <fred () avolio com>
Date: Mon, 09 Nov 1998 11:55:37 -0500
The white paper, pointed to by the press release in Chris' email, is interesting. I'd use it, rather than the press release for further dicussion. If it does do what it claims, it seems to be a very interesting addition to the mix, and I think it will meet the needs of a significant part of the user community. In a follow-up to this Dale Lancaster said this has been done before. I'm not doubting Dale, but I'd like to see white papers on the Cisco and Axent technologies. It would be useful to compare. I agree with what Darren said, but I think (I'm a bit jet-lagged -- that's my escape route here :-)) I disagree with Dale. I think there should be a lot of use for an adaptive proxy technology. Performance, certainly is one reason to use it. I think there is another, and it is one that is highlighted in the NAI paper. In my experience, people want a dial or lever, with high security at one end, and usability or speed on the other. I don't think the NAI adaptive proxy exactly gives that. But it does give *some* granularity in setting. For example, as Darren pointed out, it would be nice to have the granularity of a proxy for FTP setup and command processing, but to have the speed of a packet filter for the file transfer. Or let's look at HTTP. I could, perhaps (I've only read the paper, not played with it) select any of the following: HTTP connection logging Block Java and ActiveX URL Filtering Virus Scanning Depending on my security policy, I could have pure dynamic packet fitering, a pure application gateway, or a combination, with additional content screening. As security processing goes up, preformance goes down. But the requirement is more than just "speed." If we believe that a product should not dictate a security policy, but support an existing one, then this sort of addition is a good thing and mets that requirement. Further, we understand that there are basically two ways to do hybrids. Security can be added in series or in parallel. There have been hybrid firewalls that have proxies and filters in parallel. Adding security in parallel rarely (I really think "never") increases security. Adding security in series can increase security. The adaptive proxy mechanisms *seems* to add security in series. If so, this is a very good thing. Again, coming back to the press release -- yes, I agree Dale, it should not have taken years of research. I believe this took less than a year from conception to delivery. Fred
Current thread:
- Uni Allan Whittaker (Nov 02)
- Re: Uni Gigi Sullivan (Nov 07)
- Gauntlet adaptive proxies Chris Michael (Nov 07)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 08)
- Re: Gauntlet adaptive proxies Frederick M Avolio (Nov 10)
- Re: Gauntlet adaptive proxies David Bonn (Nov 10)
- <Possible follow-ups>
- Re: Uni Bob Acosta (Nov 07)