Firewall Wizards mailing list archives
RE: Gauntlet adaptive proxies
From: ICMan <shane_mason () securecomputing com>
Date: Mon, 9 Nov 1998 09:23:25 -0500
This is also something that has been with Secure Computing for about 2 1/2 years. Secure Computing calls it socket mating, which was first introduced in the Borderware product, and the technology has been adapted into Sidewinder. ICMan On Saturday, 07 November, 1998 3:07 PM, Dale Lancaster [SMTP:dlancaster () raptor com] wrote:
-----Original Message----- From: Chris Michael <cm () rmsbus com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Saturday, November 07, 1998 12:14 PM Subject: Gauntlet adaptive proxiesWhat do folks make of Gauntlet's adaptive proxies that got best of show
at
Networld+Interop? As I understand it the proxies can be configured to switch over to packet filtering after the intitial connection has been
set
up thus preserving a lot of the security while increasing the speed. Press release is at: http://www.nai.com/about/news/press/1998/october/102898.asp ChrisIts not a new technology for firewalls, just new to Gauntlet. The same basic feature is available on CISCO PIX as "Cut-through Proxy", announced about 18 months ago. AXENT Raptor Firewall has had it for about 9
months,
known as "Fastpath". For CISCO it was added to their stateful
architecture
as a means to add user authentication to a connection and still do
stateful
packet filtering, no significant application level filtering was being
done
with the "proxy" portion. For Raptor, done to give a performance boost. I will grant NA the honor of doing a good marketing job on a technology
that
is not new, but has been positioned against stateful packet filtering in
a
positive way. Reading the PR closely it does state they were a Finalist
for
N+I Best of Show, not the actual winner of the award (unless all the finalist are the winners, not sure how that works). I am surprised in the announcement that they claim it "took years of research" - seems like a
long
time to figure this out. Overall, its a great feature to have for both stateful and proxy
firewalls.
It allows you to authenticate a connection, do the basic logging and
then,
if your security policy and comfort level allows, let's you gain the performance advantange of not doing any content scanning of the packets
that
flow through. Once the packets start streaming through at the packet
layer,
its fundamentally equivalent to what you get with stateful packet
filtering
firewalls - no significant (or any) application level scanning of
content,
but a stateful connection with address hiding/NAT. So, in essence, you
have
the best of both worlds with an application level firewall that has this feature, complete proxy, application aware filtering and/or just your
basic
stateful packet filtering - whatever suites your fancy. I am not sure
with
Gauntlet how much application level filtering it does, if it doesn't do
much
more than poke the connection through, it might be worth sticking with
the
Adaptive Proxy on all connections. IMHO, this feature isn't worth using (a least on the Raptor Firewall)
until
you need significant performance in the 25 to 30 Mbit/sec and above
range.
Below that range, the application level proxies (mainly HTTP and FTP) can keep up (obviously platform dependent), with the added benefit of
signficant
protocol and application specific checks (meaing, that application
specific
attacks are filtered out, not virus scanning and the like). regards, dale ============================================= Dale Lancaster Director of Technical Marketing AXENT Technologies =============================================-- <--listserv unconfuser { | Christopher Michael | RMS: information technology integrators | <cm () rmsbus com> | PGP key at http://rmsbus.com/cm-pgp.htm | PGP fingerprint (RSA): 585A 5EAA 6A93 EF98 EF15 F79F 7B42 4B2A }
Current thread:
- Re: Gauntlet adaptive proxies Dale Lancaster (Nov 08)
- Re: Gauntlet adaptive proxies Joseph S D Yao (Nov 09)
- <Possible follow-ups>
- RE: Gauntlet adaptive proxies ICMan (Nov 09)
- Re: Gauntlet adaptive proxies Rodney van den Oever (Nov 09)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 09)
- Re: Gauntlet adaptive proxies Kevin Steves (Nov 11)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 12)
- Re: Gauntlet adaptive proxies Kevin Steves (Nov 12)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 09)
- Re: Gauntlet adaptive proxies Joseph S D Yao (Nov 09)
- Re: Gauntlet adaptive proxies carson (Nov 10)