Firewall Wizards mailing list archives
RE: Consine FW
From: Nimesh Vakharia <nvakhari () clio rad sunysb edu>
Date: Mon, 12 Nov 2001 17:11:24 -0500 (EST)
Lucas, If one considers the price performance of high end firewalls, which is what the market seems to be moving to now a days. Consider the port density, price etc... u'd want to have multi gigabit capabilities especially when it is in a shared hosting/inter-enterprise environment. Although high end proxy's are secure (a squid cluster) and do content inspection, the speed seems to be a distant dream and besides proxy in a hosting environment is a major no no. The thought of losing out on client info for site trends analysis or data mining is pretty much unacceptable. I guess the ideal solution would be to see Layer 7 analysis in a stateful firewall at high speeds. Nimesh. On Mon, 12 Nov 2001, Lucas, Perry wrote:
Just to contribute a little bit off the list. In the past, proxy firewalls were deemed to be more secure than stateful inspection firewalls. I don't know how well that still holds true today, as I personally haven't kept up on the debates, but the logic being that it is the proxy establishing the connections. Just to break it out in a rough sense, stateful inspection you get a pc-to-pc connection with the firewall making some alterations to the packets for NAT or blocking ports as necessary. With proxy firewalls, the PC makes a connection to the proxy, and then proxy makes the request out to the server. So you get a pc-to-proxy-to-pc connection. The trade-off, as has been mentioned, is a slight degradation in performance. You'll get different answers depending on which zealot you talk to as to which is better. My personal preference is towards stateful inspection firewalls such as PIX, Checkpoint, and Netscreen as they adapt to new technology easier and usually fairly transparent in operation to the users. -----Original Message----- From: David Lang [mailto:david.lang () digitalinsight com] Sent: Friday, November 09, 2001 3:56 AM To: Nimesh Vakharia Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com Subject: Re: [fw-wiz] Consine FW although as fast as computers are today the speed you can get from proxies may very well be sufficiant, in most cases a fairly beefy box will make it so that your communications lines are your bottleneck, not the firewall (obviously does not apply to gig ethernet, but definantly does apply up to multiple DS-3's) David Lang On Thu, 8 Nov 2001, Nimesh Vakharia wrote:Date: Thu, 8 Nov 2001 11:44:37 -0500 (EST) From: Nimesh Vakharia <nvakhari () clio rad sunysb edu> To: Bill_Royds () pch gc ca Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Consine FW agreed, the proxy's inherent behaviour to establish the connectionitselfis why it does not require it to be stateful which is why it castes a doubt on performance capabilities at high speeds and is less thanidealfor a hosting environment. On Thu, 8 Nov 2001 Bill_Royds () pch gc ca wrote:An Application proxy firewall does not need stateful inspection.Statefulinspection is a method for packet filtering firewalls to carryinformationabout TCP and UDP conversations to ensure that they are consistent.Anapplication proxy does this inherently so it does not need a statetablefor the conversation. Bill Royds Nimesh Vakharia <nvakhari () clio rad sunysb edu> 11/07/01 04:08 PM To: firewall-wizards () nfr com cc: Subject: [fw-wiz] Cosine FW Hello, We are looking at a bunch of highend firewall and VPN options andconsineseems to be an interesting one. But someone told me that currently consine does not have a stateful firewall? Is that true. I was toldtheycan support packet filtering and applcation proxy only... _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Consine FW Bill_Royds (Nov 09)
- Re: Consine FW Nimesh Vakharia (Nov 09)
- Re: Consine FW David Lang (Nov 09)
- <Possible follow-ups>
- RE: Consine FW Nimesh Vakharia (Nov 13)
- Re: Consine FW t (Nov 14)
- RE: Consine FW Lucas, Perry (Nov 14)
- RE: Consine FW David Lang (Nov 14)
- RE: Consine FW Nimesh Vakharia (Nov 14)
- Re: Consine FW Volker Tanger (Nov 14)
- Re: Consine FW Nimesh Vakharia (Nov 15)
- Re: Consine FW Stephane Nasdrovisky (Nov 15)
- Re: Consine FW Nimesh Vakharia (Nov 09)
- RE: Consine FW Pieper, Rodney (Nov 14)