Re: [fw-wiz] Firewalls that generate new packets..
- From: Dave Piscitello <dave@xxxxxxxxxxx>
- Date: Sun, 25 Nov 2007 13:20:50 -0500
I believe this goes into the "proxies rawk" folder alongside my posts.
I really would like to see a thorough analysis of the performance of an application layer policy enforcement using strictly stateful inspection
techniques versus the same policy enforced using strictly proxy techniques. I am not certain this could be done using any COTS firewalls today b/c the implementations have blurred the distinctions (my opinion). But perhaps that's good b/c people are paying less attention to the rhetoric and posturing than they did 10 years ago.
Patrick M. Hausen wrote:
Hello,begin:vcard
On Fri, Nov 23, 2007 at 05:07:23PM -0500, Paul D. Robertson wrote:On Mon, 19 Nov 2007, Paul Melson wrote:
and has a miniscule share of the total firewall market. Of course, Cisco,But if my experience with Internet-enabled software vendors is anywhere near common, nobody's enablign the proxies.
Check Point, and most of their competitors have proxies. Proxy firewalls
are dead. Long live proxy firewalls.
Absolutely correct. Because at least for one of these vendors
the proxies are riddled with bugs, i.e. protocol violations or,
to the customer, arbitrary restrictions, and, additionally,
performance plummets faster than <insert favorite comparison>.
These proxies are (IMHO) just a check item for people who buy
products based on check lists.
You need to design a firewall for use of proxies as your main
line of defense from the ground up. Fortunately current CPU
speeds and RAM capacities show the "stateful packet filters
are faster" argument not to be true anymore. At least not
if implemented on general purpose hardware.
The product with the "miniscule share of the total firewall market"
can easily support Gigabit speeds.
Of course I'm biased, but I happen to have a customer with
about 14.000 seats running both Checkpoint and Secure Computing.
You should talk to their IT staff.
They introduced Checkpoint firewalls when your "high end" ALG
was Gauntlet on a Sun E450. A current Sidewinder runs circles
around these boxes. With much more thorough protocol inspection
than Gauntlet ever had. Sorry, ^inspection^enforcement. ;-)
Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Marcus J. Ranum
- Re: [fw-wiz] Firewalls that generate new packets..
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Paul Melson
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Paul D. Robertson
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Patrick M. Hausen
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Opinions wanted...
- Next by Date: Re: [fw-wiz] How to find hidden host within LAN
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
Relevant Pages
|
|
