Re: [fw-wiz] Firewall bake-off?

On 3/19/07, Marcus J. Ranum <mjr@xxxxxxxxx> wrote:
K K wrote:
Any organization deploying firewalls needs to know their own
comfort level and requirements, and choose the solution which is
right for them.

joel l huebner wrote:
My vote would be SecureComputing's Sidewinder product line...
Very SECURE, very easy to use!

But not exactly know as speed demons, and no published 64-byte PPS
throughput benchmarks.

I should have put an emoticon at the end of that sentence :)

It's a proxy firewall. PPS benchmarks are irrelevant because the traffic
is moving through layer 7.

If only that were the case for all TCP and UDP higher-level protocols.
Many ports, when enabled, are passed with a generic proxy, not much
more sophisticated than your original protocol-agnostic TCP "plug" proxy.
Same goes for just about every other "proxy" or "deep inspection"
product on the market -- some protocols are deep, others shallow.
If you're lucky, the vendor clearly indicates which is which.

And like every other vendor, the best Sidewinder benchmark results
are obtained with the most "expensive" inspection features disabled,
but, IIRC, they don't cheat and turn off proxying entirely.

This isn't intended as a bash at you, Kevin, because you're not the
one who raised PPS as a measure of firewall performance (I think it
was Carson) - but if someone starts talking about PPS as a firewall
benchmark, they may as well hold up a big sign that reads:


Kevin Kadow
Moderator, unofficial Sidewinder Users group
firewall-wizards mailing list