[VPN] NetScreen / Juniper

Joseph S D Yao jsdy at center.osis.gov
Wed Mar 3 17:54:12 EST 2004 

On Wed, Mar 03, 2004 at 03:14:03PM -0700, Joel Snyder wrote:
> "pure application proxy" is a marketing buzzword and does not represent 
> real technology.  It's the rehashing of a 10-year-old argument that the 
> "pure application proxy" vendors have failed to live up to.  Proxy-based 
> firewalls have never taken advantage of the architecture to the extent 
> they claimed they could; packet-filtering (stateful) firewalls have 
> created similar or better controls at the application layer than their 
> proxy-based cousins.
> 
> I recently did an evaluation of both kinds of products to see which had 
> lived up to their promise and, frankly, the proxy-based firewalls have 
> come only 2 baby steps in the last 5 years while the stateful packet 
> inspection devices have made huge strides, in some cases supplanting the 
> capabilities of the "pure application proxy" folks.
> 
> The arguments offered by proxy firewalls as to why they're "better" are 
> largely smoke and mirrors, and are not supported by the facts.  In many 
> cases, they have appended shitty non-stateful packet filtering firewalls 
> to deal with their miserable proxy performance; in all cases, they have 
> failed to exploit the application-layer visibility except in very 
> specific cases, mostly HTTP.  Their SMTP proxies are a joke, generally 
> reducing total system security and trading on general fear that somehow 
> a Microsoft TCP/IP stack is vulnerable just because it came from Microsoft.
> 
> The proof of the pudding is in the eating, and folks who have built-in 
> application layer visibility and ASIC-level speed (including Check 
> Point, NetScreen and maybe Cisco) are at a distinct advantage.

I would be interested to see your study.  I have asked for proofs of
the marketing phrases you use, above, and have never gotten anything
useful.  Of course, stateful inspection has to have come a lot further
from where it was back then!  ;-)

But, in the end, part of this is, not what YOU [the generic "you"] want
to force on customers, but what does the [perhaps educated] customer
WANT?

And, OBTW, do YOU trust a TCP/IP stack that has been re-engineered so
many times, and has built-in [and in many cases unadvertised] places
for breaking into it?

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the VPN mailing list