Re: [fw-wiz] Firewalls that generate new packets..

Hello,

On Fri, Nov 23, 2007 at 05:07:23PM -0500, Paul D. Robertson wrote:
On Mon, 19 Nov 2007, Paul Melson wrote:

and has a miniscule share of the total firewall market. Of course, Cisco,
Check Point, and most of their competitors have proxies. Proxy firewalls
are dead. Long live proxy firewalls.

But if my experience with Internet-enabled software vendors is anywhere
near common, nobody's enablign the proxies.

Absolutely correct. Because at least for one of these vendors
the proxies are riddled with bugs, i.e. protocol violations or,
to the customer, arbitrary restrictions, and, additionally,
performance plummets faster than <insert favorite comparison>.

These proxies are (IMHO) just a check item for people who buy
products based on check lists.

You need to design a firewall for use of proxies as your main
line of defense from the ground up. Fortunately current CPU
speeds and RAM capacities show the "stateful packet filters
are faster" argument not to be true anymore. At least not
if implemented on general purpose hardware.

The product with the "miniscule share of the total firewall market"
can easily support Gigabit speeds.

Of course I'm biased, but I happen to have a customer with
about 14.000 seats running both Checkpoint and Secure Computing.
You should talk to their IT staff.

They introduced Checkpoint firewalls when your "high end" ALG
was Gauntlet on a Sun E450. A current Sidewinder runs circles
around these boxes. With much more thorough protocol inspection
than Gauntlet ever had. Sorry, ^inspection^enforcement. ;-)

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@xxxxxxxx http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: operationg system firewall question
    ... They may or may not add proxies on top. ... In general Windows based firewalls are easiest for most to ... For most a hardware device seems to be the best solution. ...
    (comp.security.firewalls)
  • Re: Great Firewall/Australia censorship proposal
    ... online radio station from behind work firewalls. ... which SSL proxies are used to encrypt that data traffic. ... VPN connects unless you use their cert with their ...
    (comp.security.firewalls)
  • Re: Server push
    ... > the connection bar to ensure that the requested action is still valid. ... if you really want to reproduce server push you will need an activex ... > a lot of firewalls and proxies will stamp all over this and time the ...
    (comp.lang.php)
  • Re: [fw-wiz] Firewalls that generate new packets..
    ... I believe this goes into the "proxies rawk" folder alongside my posts. ... I really would like to see a thorough analysis of the performance of an application layer policy enforcement using strictly stateful inspection ... I am not certain this could be done using any COTS firewalls today b/c the implementations have blurred the distinctions. ... Long live proxy firewalls. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Corporate H/N IPS
    ... > currently being sold as application proxy firewalls are slightly harder to ... application proxy firewalls cannot proxy as many sessions as a simple SPF ... market share (after all if all the other companies are running SPF ...
    (Firewall-Wizards)