[VPN] NetScreen / Juniper
Joseph S D Yao
jsdy at center.osis.gov
Wed Mar 3 17:54:12 EST 2004
On Wed, Mar 03, 2004 at 03:14:03PM -0700, Joel Snyder wrote:
> "pure application proxy" is a marketing buzzword and does not represent
> real technology. It's the rehashing of a 10-year-old argument that the
> "pure application proxy" vendors have failed to live up to. Proxy-based
> firewalls have never taken advantage of the architecture to the extent
> they claimed they could; packet-filtering (stateful) firewalls have
> created similar or better controls at the application layer than their
> proxy-based cousins.
>
> I recently did an evaluation of both kinds of products to see which had
> lived up to their promise and, frankly, the proxy-based firewalls have
> come only 2 baby steps in the last 5 years while the stateful packet
> inspection devices have made huge strides, in some cases supplanting the
> capabilities of the "pure application proxy" folks.
>
> The arguments offered by proxy firewalls as to why they're "better" are
> largely smoke and mirrors, and are not supported by the facts. In many
> cases, they have appended shitty non-stateful packet filtering firewalls
> to deal with their miserable proxy performance; in all cases, they have
> failed to exploit the application-layer visibility except in very
> specific cases, mostly HTTP. Their SMTP proxies are a joke, generally
> reducing total system security and trading on general fear that somehow
> a Microsoft TCP/IP stack is vulnerable just because it came from Microsoft.
>
> The proof of the pudding is in the eating, and folks who have built-in
> application layer visibility and ASIC-level speed (including Check
> Point, NetScreen and maybe Cisco) are at a distinct advantage.
I would be interested to see your study. I have asked for proofs of
the marketing phrases you use, above, and have never gotten anything
useful. Of course, stateful inspection has to have come a lot further
from where it was back then! ;-)
But, in the end, part of this is, not what YOU [the generic "you"] want
to force on customers, but what does the [perhaps educated] customer
WANT?
And, OBTW, do YOU trust a TCP/IP stack that has been re-engineered so
many times, and has built-in [and in many cases unadvertised] places
for breaking into it?
--
Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the VPN
mailing list