Firewall Wizards mailing list archives

RE: Consine FW

From: "Lucas, Perry" <plucas () lineartech com>
Date: Tue, 13 Nov 2001 09:26:35 -0500


I think we can argue the point about performance endlessly without
getting raw data, which at this point is probably too costly for you and
me.  Has anyone tested a high end firewall, proxy or stateful, on a 2ghz
quad processor servers decked out with memory?  It may give gigabit
throughput performance for all we know at this point.  I don't dispute
the fact that proxy solutions degrade performance but without current
test data, knowing how secure the environment needs to be.  Besides, in
the original message, the user doesn't state that this is for a hosting
environment.  That was implied in your response...  

As for the data mining and trend analysis, you grab that from the proxy
firewall as opposed to the server, ala Webtrend firewall products


Sincerely,

Perry J. Lucas

-----Original Message-----
From: Nimesh Vakharia [mailto:nvakhari () clio rad sunysb edu] 
Sent: Monday, November 12, 2001 5:11 PM
To: Lucas, Perry
Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com; David Lang
Subject: RE: [fw-wiz] Consine FW


Lucas, If one considers the price performance of high end firewalls,
which
is what the market seems to be moving to now a days. Consider the port
density, price etc... u'd want to have multi gigabit capabilities
especially when it is in a shared hosting/inter-enterprise environment.
Although high end proxy's are secure (a squid cluster) and do content
inspection, the speed seems to be a distant dream and besides proxy in a
hosting environment is a major no no. The thought of losing out on
client
info for site trends analysis or data mining is pretty much
unacceptable.
I guess the ideal solution would be to see Layer 7 analysis in a
stateful
firewall at high speeds.

Nimesh.


On Mon, 12 Nov 2001, Lucas, Perry wrote:

Just to contribute a little bit off the list.  In the past, proxy
firewalls were deemed to be more secure than stateful inspection
firewalls.  I don't know how well that still holds true today, as I
personally haven't kept up on the debates, but the logic being that it
is the proxy establishing the connections.  Just to break it out in a
rough sense, stateful inspection you get a pc-to-pc connection with

the

firewall making some alterations to the packets for NAT or blocking
ports as necessary.  With proxy firewalls, the PC makes a connection

to

the proxy, and then proxy makes the request out to the server.  So you
get a pc-to-proxy-to-pc connection.  The trade-off, as has been
mentioned, is a slight degradation in performance.

You'll get different answers depending on which zealot you talk to as

to

which is better.  My personal preference is towards stateful

inspection

firewalls such as PIX, Checkpoint, and Netscreen as they adapt to new
technology easier and usually fairly transparent in operation to the
users.

-----Original Message-----
From: David Lang [mailto:david.lang () digitalinsight com] 
Sent: Friday, November 09, 2001 3:56 AM
To: Nimesh Vakharia
Cc: Bill_Royds () pch gc ca; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Consine FW

although as fast as computers are today the speed you can get from
proxies
may very well be sufficiant, in most cases a fairly beefy box will

make

it
so that your communications lines are your bottleneck, not the

firewall

(obviously does not apply to gig ethernet, but definantly does apply

up

to
multiple DS-3's)

David Lang



 On Thu, 8 Nov 2001, Nimesh Vakharia wrote:

Date: Thu, 8 Nov 2001 11:44:37 -0500 (EST)
From: Nimesh Vakharia <nvakhari () clio rad sunysb edu>
To: Bill_Royds () pch gc ca
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Consine FW

agreed, the proxy's inherent behaviour to establish the connection

itself

is why it does not require it to be stateful which is why it castes

doubt on performance capabilities at high speeds and is less than

ideal

for a hosting environment.

 On Thu, 8 Nov 2001 Bill_Royds () pch gc ca wrote:


An Application proxy firewall does not need stateful inspection.

Stateful

inspection is a method for packet filtering firewalls to carry

information

about TCP and UDP conversations to ensure that they are

consistent.

An

application proxy does this inherently so it does not need a state

table

for the conversation.


Bill Royds





Nimesh Vakharia <nvakhari () clio rad sunysb edu>
11/07/01 04:08 PM


        To:     firewall-wizards () nfr com
        cc:
        Subject:        [fw-wiz] Cosine FW



Hello,

We are looking at a bunch of highend firewall and VPN options and

consine

seems to be an interesting one. But someone told me that currently
consine does not have a stateful firewall? Is that true. I was

told

they

can support packet filtering and applcation proxy only...


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Consine FW Bill_Royds (Nov 09)
- Re: Consine FW Nimesh Vakharia (Nov 09)
  - Re: Consine FW David Lang (Nov 09)
- <Possible follow-ups>
- RE: Consine FW Nimesh Vakharia (Nov 13)
  - Re: Consine FW t (Nov 14)
- RE: Consine FW Lucas, Perry (Nov 14)
  - RE: Consine FW David Lang (Nov 14)
  - RE: Consine FW Nimesh Vakharia (Nov 14)
    - Re: Consine FW Volker Tanger (Nov 14)
    - Re: Consine FW Nimesh Vakharia (Nov 15)
    - Re: Consine FW Stephane Nasdrovisky (Nov 15)
- RE: Consine FW Pieper, Rodney (Nov 14)