Firewall Wizards mailing list archives
Re: netscreen proxies??
From: Paul Robertson <proberts () patriot net>
Date: Sat, 24 May 2003 20:58:39 -0400 (EDT)
On Sat, 24 May 2003, Adam wrote:
Can anyone tell me what real application proxies capabilities are in a netscreen? I looked at it a few years ago and only saw proxies at the transport layer. I saw a rep at a trade show recently that told me that current generation netscreen provides deep layer 7 inspection for numerous protocols.
[I don't know about Netscreen in particular, but this is a generic issue these days...] "Layer 7 inspection" doesn't necessarily mean "application proxy," and hasn't for quite some time. For some things, it may provide a similar level of control, for others it won't, and it really depends on how much stack-like behaviour there is in the product (which gets us to stack-like bugs...) With a proxy, you pretty much know that there's a functional client and mostly-functional server. With "inspection," it's pretty darned difficult to figure out what's inside the box. I've yet to see any commercial vendor enurmerate very well at all, what inspection happens, and what impact it has on the protocol for a particular firewall product. We've all seen what happens when "inspection" happens to FTP, and things like H.323 don't give me warm fuzzies at all when it comes to "inspection" and firewalls. Heck, I'm not at all sure I've seen anyone touting any sort of protection from an HTTP inspection engine for anything that wasn't trivial. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- netscreen proxies?? Adam (May 24)
- Re: netscreen proxies?? Paul Robertson (May 24)