Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites

On Wednesday, February 08, 2006 1:27 AM, Darren Reed so wrote:

On Tuesday, February 07, 2006 12:50 PM, Dave Piscitello so spake:

An interesting exercise for this list - possibly a new thread? - is
"what security policies are best enforced by implementing
analysis" versus "what security policies are best enforced by proxy

How is one different to the other ?

How is a proxy not doing something "on the fly" ?

My sometimes jaded view is that the proxy rewrites the traffic to
conform to whatever the proxy writer wrote. Hopefully, that matches up
with some standard protocol to _provide_ the security. I.E. You get the
security from the proxy writer having rewritten your traffic. It's doing
*something,* true, but it's not "checking" anything. It's just not
re-writing any *bad* stuff.

That is still "on the fly". The original question (however flawed it
was), wanted to compare "on the fly" vs proxy. I'd assert that in
nearly all cases, except for SMTP, the proxy IS "on the fly".

firewall-wizards mailing list