Re: Firewall bake-off?

["Jim MacLeod" <jmacleod () gmail com>]

On 3/19/07, Marcus J. Ranum <mjr () ranum com> wrote:
> [...] if someone starts talking about PPS as a firewall
> benchmark, they may as well hold up a big sign that reads:
> "I DO NOT UNDERSTAND WHAT A FIREWALL DOES"

Meaning no disrespect, it must also be stated that many companies have
a business need for their networks to be both Secure and Fast.

I am reminded of the argument that Telnet is a terrible protocol,
because it has a huge amount of protocol overhead per byte of payload.
 The protocol MUST operate that way to provide rapid user feedback.
Everything has its strengths and weaknesses.

Similarly, a layer 7 proxy does not provide any more security than a
layer 4 stateful packet filter - for a given protocol - if the layer 7
element does not enforce rules for that protocol.  My favorite example
is ssh: port forwarding allows a lot of sins to be hidden from
centralized access control, but "it's encrypted, so it must be
secure."  (Yes, there are ssh proxies that can address this, but
they're not a common feature in firewalls.)

Anyone who focuses purely on speed in a firewall will arguably gain
nothing, as any potential improvement in security is nullified by a
false sense of confidence.  Anyone who completely neglects speed in a
firewall will arguably hurt their security posture by contributing to
the perception that security slows down your network, thus encouraging
end users - or even worse, CIOs - to attempt to bypass it.

-Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards