Re: netscreen proxies??

[Paul Robertson <proberts () patriot net>]

On Sat, 24 May 2003, Adam wrote:

> Can anyone tell me what real application proxies capabilities are in a
> netscreen? I looked at it a few years ago and only saw proxies at the
> transport layer. I saw a rep at a trade show recently that told me that
> current generation netscreen provides deep layer 7 inspection for numerous
> protocols.

[I don't know about Netscreen in particular, but this is a generic issue 
these days...]

"Layer 7 inspection" doesn't necessarily mean "application proxy," and 
hasn't for quite some time.  For some things, it may provide a similar 
level of control, for others it won't, and it really depends on how much 
stack-like behaviour there is in the product (which gets us to stack-like 
bugs...)  

With a proxy, you pretty much know that there's a functional client and 
mostly-functional server.  With "inspection," it's pretty darned difficult 
to figure out what's inside the box.  I've yet to see any commercial 
vendor enurmerate very well at all, what inspection happens, and what 
impact it has on the protocol for a particular firewall product.

We've all seen what happens when "inspection" happens to FTP, and things 
like H.323 don't give me warm fuzzies at all when it comes to "inspection" 
and firewalls.  Heck, I'm not at all sure I've seen anyone touting any 
sort of protection from an HTTP inspection engine for anything that wasn't 
trivial.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards