Re: NAI Guantlet "Best of Show Award" The Real Deal

["Dale Lancaster" <dlancaster () raptor com>]

From: Frederick M Avolio <fred () avolio com>


> > If we agree that the basic "feature" being touted is something like: start
a
> > connection at the proxy layer and then send data packets through at the
> > packet layer AND you agree that its done primarily to increase throughput
of
> > the firewall - then I would agree with Andy that it is a re-work of the
>
> Yes, but I do not agree that the only reason to do this is throughput, as
> we discussed a bit in Tucson the other day. Also, I discussed it I think
> some where in this thread. Sometimes it makes no sense to relay data
> through a proxy. For example, data that you do not process nor does it make
> any sense to process (audio streams come to mind).

I would agree that not all data streams would benefit from data examination.
Even so, if we extend your argument a bit further, if performance is not the
only reason to do GAP (or not a reason at all), and the data stream does not
need to be examined because there is nothing to really filter out, then it
really doesn't matter if it goes up and down the stack or just through at
the network layer.  And if given a choice, I think a higher level of
security is achieved for the session (in this scenerio) by forcing the
packets up and down the stack at the firewall.

> > I know what the Raptor Firewall Fastpath (RFF) does, but I don't know if
it
> > does more or less than what Gauntlet Adaptive Proxy (GAP) does.  Based
> > strictly on the whitepaper, I would judge it to be very similar to the RFF
> > stuff and both being more than what CISCO PIX offers.  The Cut-through
proxy
> > appears to have the actual proxy go away and not have anything more to do
> > with the connection, whereas GAP and RFF leave the proxy "running", but
only
> > for control, not data transfer.
>
> Yes and I consider this considerably more.
Agreed.

> > 2) "As a result, an adapative proxy firewall is every bit as secure as a
> > standard proxy firewall ...".  I would claim this is simply not true.  The
> > real value of a standard proxy firewall is the fact that application data
is
> > checked for known attacks, not just that a logical separation of the
> > networks has occured by creating a new connection for every session.  For
>
> Yes, but in the case where there is nothing to check (a video stream) or
> where the customer picks speed over security under certain conditions, this
> is more secure than the other methods mentioned by you.

See my earlier response to 1) and if data examination isn't really useful or
required, I would agree that it is more secure than SPF. I suppose we leave
the why as an exercise for the reader :-)

> I'd love to see a white paper on Raptor's implementation, even containing
> some marketing-speak as the Gauntlet paper. :-) Even if it has all that you
> say is missing in the Gauntlet paper.  If Raptor has all of this also this
> is wonderful, very useful, a secure hybrid (as opposed to what some vendors
> with mixed systems offer), and you should have tooted your horn about it
> long ago. Also, NAI says they have applied for a patent, so make sure
> you've got your lab books dated and signed. :-)
As mentioned before, RFF tech brief is needed and something that is now in
process.  A little marketing-speak will probably be present :-).  As to
tooting our horn on it, I guess we should have.  We saw it, at the time, as
a continuation of several significant performance enhancements, which in the
end did show up to put us on par with stateful packet filtering products
(see Datacomm NT firewall bakeoff results from a few months ago).  So the
end result is the same, users don't have to choose between security and
performance (application vs. stateful), they can have both and a choice in a
single application level firewall (and have had that choice now for about 9
months:-).

> And -- since someone already asked -- no, I did not write the Gauntlet
> white paper. I'd have gotten the historic part correct. :-)
Maybe you should have wrote it :-)

So, net result, I believe GAP and RFF are similar, and do provide, when
used, a higher degree of security than SPF, but with the same level of
performance and we at AXENT are pleased to see that another vendor has
followed our lead, a few months behind the curve :-))))

talk to you later
dale
=============================================
Dale Lancaster
Director of Technical Marketing
AXENT Technologies
=============================================