Re: [fw-wiz] Firewall bake-off?

On 3/19/07, Marcus J. Ranum <mjr@xxxxxxxxx> wrote:
K K wrote:
Any organization deploying firewalls needs to know their own
comfort level and requirements, and choose the solution which is
right for them.

joel l huebner wrote:
My vote would be SecureComputing's Sidewinder product line...
Very SECURE, very easy to use!

But not exactly know as speed demons, and no published 64-byte PPS
throughput benchmarks.

I should have put an emoticon at the end of that sentence :)

It's a proxy firewall. PPS benchmarks are irrelevant because the traffic
is moving through layer 7.

If only that were the case for all TCP and UDP higher-level protocols.
Many ports, when enabled, are passed with a generic proxy, not much
more sophisticated than your original protocol-agnostic TCP "plug" proxy.
Same goes for just about every other "proxy" or "deep inspection"
product on the market -- some protocols are deep, others shallow.
If you're lucky, the vendor clearly indicates which is which.

And like every other vendor, the best Sidewinder benchmark results
are obtained with the most "expensive" inspection features disabled,
but, IIRC, they don't cheat and turn off proxying entirely.

This isn't intended as a bash at you, Kevin, because you're not the
one who raised PPS as a measure of firewall performance (I think it
was Carson) - but if someone starts talking about PPS as a firewall
benchmark, they may as well hold up a big sign that reads:


Kevin Kadow
Moderator, unofficial Sidewinder Users group
firewall-wizards mailing list

Relevant Pages

  • Re: Linux netfilter/iptables firewall : impacts on performances ?
    ... > bandwidth and delay time with and without the firewall for several types ... won't find many useful benchmarks re: iptables. ... Sorry I didn't find any ready made benchmark results at first glance ...
  • RFC 3511 tools
    ... Other than the RFC itself, are there are documents which describe how ... to benchmark a firewall in the RFC 3511 methodology - how to set it up ...
  • Re: Natted IP
    ... >>local IP and can guess other protocols that might be allowed through the ... >>against a target and required for firewall protocol tunneling exploits. ... >>run only with JS enabled with Java applets disabled. ... tunnel through a firewall using blind protocols such as an exposed UDP ...
  • Re: [fw-wiz] Proxy advantage
    ... your http proxy, or a reverse proxy. ... The firewall understands it ... protocols, so it can stop some attacks on that level. ... provider of content, deny them, try to get some assurance, or use some ...
  • [Full-Disclosure] YABBT [1] - Re: Zone Alarm
    ... >>network blocking when dealing with like protocols. ... > "There is one big benefit, which no hardware router can bring you. ... "A HW firewall can only block a whole machine but can't denied access ...