Firewall Wizards mailing list archives
Re: NAI Guantlet "Best of Show Award" The Real Deal
From: "Dale Lancaster" <dlancaster () raptor com>
Date: Thu, 12 Nov 1998 00:27:51 -0600
From: Frederick M Avolio <fred () avolio com>
If we agree that the basic "feature" being touted is something like: start
a
connection at the proxy layer and then send data packets through at the packet layer AND you agree that its done primarily to increase throughput
of
the firewall - then I would agree with Andy that it is a re-work of theYes, but I do not agree that the only reason to do this is throughput, as we discussed a bit in Tucson the other day. Also, I discussed it I think some where in this thread. Sometimes it makes no sense to relay data through a proxy. For example, data that you do not process nor does it make any sense to process (audio streams come to mind).
I would agree that not all data streams would benefit from data examination. Even so, if we extend your argument a bit further, if performance is not the only reason to do GAP (or not a reason at all), and the data stream does not need to be examined because there is nothing to really filter out, then it really doesn't matter if it goes up and down the stack or just through at the network layer. And if given a choice, I think a higher level of security is achieved for the session (in this scenerio) by forcing the packets up and down the stack at the firewall.
I know what the Raptor Firewall Fastpath (RFF) does, but I don't know if
it
does more or less than what Gauntlet Adaptive Proxy (GAP) does. Based strictly on the whitepaper, I would judge it to be very similar to the RFF stuff and both being more than what CISCO PIX offers. The Cut-through
proxy
appears to have the actual proxy go away and not have anything more to do with the connection, whereas GAP and RFF leave the proxy "running", but
only
for control, not data transfer.Yes and I consider this considerably more.
Agreed.
2) "As a result, an adapative proxy firewall is every bit as secure as a standard proxy firewall ...". I would claim this is simply not true. The real value of a standard proxy firewall is the fact that application data
is
checked for known attacks, not just that a logical separation of the networks has occured by creating a new connection for every session. ForYes, but in the case where there is nothing to check (a video stream) or where the customer picks speed over security under certain conditions, this is more secure than the other methods mentioned by you.
See my earlier response to 1) and if data examination isn't really useful or required, I would agree that it is more secure than SPF. I suppose we leave the why as an exercise for the reader :-)
I'd love to see a white paper on Raptor's implementation, even containing some marketing-speak as the Gauntlet paper. :-) Even if it has all that you say is missing in the Gauntlet paper. If Raptor has all of this also this is wonderful, very useful, a secure hybrid (as opposed to what some vendors with mixed systems offer), and you should have tooted your horn about it long ago. Also, NAI says they have applied for a patent, so make sure you've got your lab books dated and signed. :-)
As mentioned before, RFF tech brief is needed and something that is now in process. A little marketing-speak will probably be present :-). As to tooting our horn on it, I guess we should have. We saw it, at the time, as a continuation of several significant performance enhancements, which in the end did show up to put us on par with stateful packet filtering products (see Datacomm NT firewall bakeoff results from a few months ago). So the end result is the same, users don't have to choose between security and performance (application vs. stateful), they can have both and a choice in a single application level firewall (and have had that choice now for about 9 months:-).
And -- since someone already asked -- no, I did not write the Gauntlet white paper. I'd have gotten the historic part correct. :-)
Maybe you should have wrote it :-) So, net result, I believe GAP and RFF are similar, and do provide, when used, a higher degree of security than SPF, but with the same level of performance and we at AXENT are pleased to see that another vendor has followed our lead, a few months behind the curve :-)))) talk to you later dale ============================================= Dale Lancaster Director of Technical Marketing AXENT Technologies =============================================
Current thread:
- Re: NAI Guantlet "Best of Show Award" The Real Deal, (continued)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Christopher Nicholls (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Andy Smith (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 11)
- RE: NAI Guantlet "Best of Show Award" The Real Deal Waszak, Tom (Nov 10)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Joseph S D Yao (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal HASSAN . KARIM (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal cbrenton (Nov 11)
- RE: NAI Guantlet "Best of Show Award" The Real Deal Waszak, Tom (Nov 11)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Dale Lancaster (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Dale Lancaster (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Paul D. Robertson (Nov 12)
- Re: NAI Guantlet "Best of Show Award" The Real Deal Frederick M Avolio (Nov 12)