Re: Firewall bake-off?

["K K" <kkadow () gmail com>]

On 3/19/07, Marcus J. Ranum <mjr () ranum com> wrote:
> K K wrote:
> > Any organization deploying firewalls needs to know their own
> > comfort level and requirements, and choose the solution which is
> > right for them.
>
> > joel l huebner wrote:
> > > My vote would be SecureComputing's Sidewinder product line...
> > > Very SECURE, very easy to use!
>
> > But not exactly know as speed demons, and no published 64-byte PPS
> > throughput benchmarks.

I should have put an emoticon at the end of that sentence :)


> It's a proxy firewall. PPS benchmarks are irrelevant because the traffic
> is moving through layer 7.

If only that were the case for all TCP and UDP higher-level protocols.
Many ports, when enabled, are passed with a generic proxy, not much
more sophisticated than your original protocol-agnostic TCP "plug" proxy.
Same goes for just about every other "proxy" or "deep inspection"
product on the market -- some protocols are deep, others shallow.
If you're lucky, the vendor clearly indicates which is which.

And like every other vendor, the best Sidewinder benchmark results
are obtained with the most "expensive" inspection features disabled,
but, IIRC, they don't cheat and turn off proxying entirely.


> This isn't intended as a bash at you, Kevin, because you're not the
> one who raised PPS as a measure of firewall performance (I think it
> was Carson) - but if someone starts talking about PPS as a firewall
> benchmark, they may as well hold up a big sign that reads:
> "I DO NOT UNDERSTAND WHAT A FIREWALL DOES"

Exactly.


Kevin Kadow
--
Moderator, unofficial Sidewinder Users group
http://groups.yahoo.com/group/sidewinder-users/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards