Firewall Wizards mailing list archives

Re: Gauntlet adaptive proxies

From: Frederick M Avolio <fred () avolio com>
Date: Mon, 09 Nov 1998 11:55:37 -0500

The white paper, pointed to by the press release in Chris' email, is
interesting. I'd use it, rather than the press release for further
dicussion. If it does do what it claims, it seems to be a very interesting
addition to the mix, and I think it will meet the needs of a significant
part of the user community. 

In a follow-up to this Dale Lancaster said this has been done before. I'm
not doubting Dale, but I'd like to see white papers on the Cisco and Axent
technologies. It would be useful to compare.

I agree with what Darren said, but I think (I'm a bit jet-lagged -- that's
my escape route here :-)) I disagree with Dale. I think there should be a
lot of use for an adaptive proxy technology.  Performance, certainly is one
reason to use it. I think there is another, and it is one that is
highlighted in the NAI paper. 

In my experience, people want a dial or lever, with high security at one
end, and usability or speed on the other. I don't think the NAI adaptive
proxy exactly gives that. But it does give *some* granularity in setting.
For example, as Darren pointed out, it would be nice to have the
granularity of a proxy for FTP setup and command processing, but to have
the speed of a packet filter for the file transfer. Or let's look at HTTP.
I could, perhaps (I've only read the paper, not played with it) select any
of the following:

HTTP connection logging
Block Java and ActiveX
URL Filtering
Virus Scanning

Depending on my security policy, I could have pure dynamic packet fitering,
a pure application gateway, or a combination, with additional content
screening.  As security processing goes up, preformance goes down. But the
requirement is more than just "speed." If we believe that a product should
not dictate a security policy, but support an existing one, then this sort
of addition is a good thing and mets that requirement.

Further, we understand that there are basically two ways to do hybrids.
Security can be added in series or in parallel. There have been hybrid
firewalls that have proxies and filters in parallel. Adding security in
parallel rarely (I really think "never") increases security. Adding
security in series can increase security. The adaptive proxy mechanisms
*seems* to add security in series. If so, this is a very good thing.

Again, coming back to the press release -- yes, I agree Dale, it should not
have taken years of research. I believe this took less than a year from
conception to delivery.

Fred

Current thread:

Uni Allan Whittaker (Nov 02)
- Re: Uni Gigi Sullivan (Nov 07)
- Gauntlet adaptive proxies Chris Michael (Nov 07)
  - Re: Gauntlet adaptive proxies Darren Reed (Nov 08)
  - Re: Gauntlet adaptive proxies Frederick M Avolio (Nov 10)
    - Re: Gauntlet adaptive proxies David Bonn (Nov 10)
- <Possible follow-ups>
- Re: Uni Bob Acosta (Nov 07)