Re: Consine FW

[t <miedaner () twcny rr com>]

Bottleneck at the top vs bottleneck at the bottom.  Not sure which is better.
How about simply defining the the environment and using what is acceptable
relative to your the level of risk you wanna assume.

Nimesh Vakharia wrote:

> Lucas, If one considers the price performance of high end firewalls, which
> is what the market seems to be moving to now a days. Consider the port
> density, price etc... u'd want to have multi gigabit capabilities
> especially when it is in a shared hosting/inter-enterprise environment.
> Although high end proxy's are secure (a squid cluster) and do content
> inspection, the speed seems to be a distant dream and besides proxy in a
> hosting environment is a major no no. The thought of losing out on client
> info for site trends analysis or data mining is pretty much unacceptable.
> I guess the ideal solution would be to see Layer 7 analysis in a stateful
> firewall at high speeds.
>
> Nimesh.
>
> On Mon, 12 Nov 2001, Lucas, Perry wrote:
>
> > Just to contribute a little bit off the list.  In the past, proxy
> > firewalls were deemed to be more secure than stateful inspection
> > firewalls.  I don't know how well that still holds true today, as I
> > personally haven't kept up on the debates, but the logic being that it
> > is the proxy establishing the connections.  Just to break it out in a
> > rough sense, stateful inspection you get a pc-to-pc connection with the
> > firewall making some alterations to the packets for NAT or blocking
> > ports as necessary.  With proxy firewalls, the PC makes a connection to
> > the proxy, and then proxy makes the request out to the server.  So you
> > get a pc-to-proxy-to-pc connection.  The trade-off, as has been
> > mentioned, is a slight degradation in performance.
> >
> > You'll get different answers depending on which zealot you talk to as to
> > which is better.  My personal preference is towards stateful inspection
> > firewalls such as PIX, Checkpoint, and Netscreen as they adapt to new
> > technology easier and usually fairly transparent in operation to the
> > users.
> >
> > -----Original Message-----
> > From: David Lang [mailto:david.lang () digitalinsight com]
> > Sent: Friday, November 09, 2001 3:56 AM
> > To: Nimesh Vakharia
> > Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com
> > Subject: Re: [fw-wiz] Consine FW
> >
> > although as fast as computers are today the speed you can get from
> > proxies
> > may very well be sufficiant, in most cases a fairly beefy box will make
> > it
> > so that your communications lines are your bottleneck, not the firewall
> > (obviously does not apply to gig ethernet, but definantly does apply up
> > to
> > multiple DS-3's)
> >
> > David Lang
> >
> >
> >
> >  On Thu, 8 Nov 2001, Nimesh Vakharia wrote:
> >
> > > Date: Thu, 8 Nov 2001 11:44:37 -0500 (EST)
> > > From: Nimesh Vakharia <nvakhari () clio rad sunysb edu>
> > > To: Bill_Royds () pch gc ca
> > > Cc: firewall-wizards () nfr com
> > > Subject: Re: [fw-wiz] Consine FW
> > >
> > > agreed, the proxy's inherent behaviour to establish the connection
> > itself
> > > is why it does not require it to be stateful which is why it castes a
> > > doubt on performance capabilities at high speeds and is less than
> > ideal
> > > for a hosting environment.
> > >
> > >  On Thu, 8 Nov 2001 Bill_Royds () pch gc ca wrote:
> > >
> > > > An Application proxy firewall does not need stateful inspection.
> > Stateful
> > > > inspection is a method for packet filtering firewalls to carry
> > information
> > > > about TCP and UDP conversations to ensure that they are consistent.
> > An
> > > > application proxy does this inherently so it does not need a state
> > table
> > > > for the conversation.
> > > >
> > > >
> > > > Bill Royds
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Nimesh Vakharia <nvakhari () clio rad sunysb edu>
> > > > 11/07/01 04:08 PM
> > > >
> > > >
> > > >         To:     firewall-wizards () nfr com
> > > >         cc:
> > > >         Subject:        [fw-wiz] Cosine FW
> > > >
> > > >
> > > >
> > > > Hello,
> > > >
> > > > We are looking at a bunch of highend firewall and VPN options and
> > consine
> > > > seems to be an interesting one. But someone told me that currently
> > > > consine does not have a stateful firewall? Is that true. I was told
> > they
> > > > can support packet filtering and applcation proxy only...
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards () nfr com
> > > > http://list.nfr.com/mailman/listinfo/firewall-wizards
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () nfr com
> > > http://list.nfr.com/mailman/listinfo/firewall-wizards
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards