[VPN] NetScreen / Juniper

Joseph S D Yao jsdy at center.osis.gov
Thu Mar 4 10:51:20 EST 2004 

On Wed, Mar 03, 2004 at 05:41:24PM -0700, Travis Watson wrote:
> Joseph,
> 
> I'm not aware of any product in an ASIC or a micro-kernel/controller 
> architecture that are capable of "pure application proxies" but, I agree with 
> Mr. Snyder that it's largely smoke and mirrors anyway.

Only partly.  Not entirely.  It would have been nice to have learned of
some, but perhaps it's not likely [see my point about rate limiting
below].

> I assume you are thinking of Sidewinder firewalls when you ask the question 
> (correct me if I'm wrong).  Sidewinder is a fine firewall--extremely secure.  
> But they slapped on the proxy piece from their aquisition of Raptor.  

No on both counts.  I wasn't thinking of any.  Sidewinder bought
Gauntlet from NAI [and, yes, included parts of it], who had bought it
with TIS Labs, while Symantec bought up Raptor.

> Apparently it has done them well because their sales are up.  I don't want to 
> get into a flame war over everyone's favorite flavor of firewall, but Joel is 
> right in that "application proxy" is just a few baby steps away from snake 
> oil.  It's more for convenience from what I can tell.  Sidewinder was secure 
> without it but, I should think, no more secure with it.

No, there are real, functional differences.

I should have included in my response to Joel that it is unfortunately
true that less work has been done on application proxies, which is a
pity.  I think it is more driven by marketers' perceptions that making
a filtering firewall is easier and less expensive, though [and these
perceptios are probably true], rather then because of any security
studies.

> In the end, it just depends on the tool you need for your situation and the 
> budget you have to work with.  ...

Quite true.

> As for ASIC vs. micro-kernel/controller (looking at Joel's last couple and 
> yours), ASIC is king for pumping traffic.  ...

Also true.  But that just means that your rate limiting is done at the
inspection part - and if you are going for speed, the inspection is
likely to be sacrificed.

...
> As for VPN/firewall sales, what happens when Cisco goes to all those 
> Fortune500 companies (and others) that are already Cisco shops and says 
> something to the effect of, "Hey, why don't you just install our 'secure IOS' 
> on all your routers and manage them with our groovy central manager?  You 
> wouldn't have to change a thing architectually and you would have a firewall 
> at all your routing points!"  It's a good question--one that 
> Juniper/Netscreen will have to answer and other firewall vendors can't 
> answer--and Cisco is only a bit of IOS development and a decent central 
> manager away from being able to ask it.

Quite true.  But, rationally, they should then analyze (a) the
intrinsic value of Cisco's offering versus other separate or integrated
offerings, and (b) the inherent risks of using an integrated tool
versus one that "does one thing but does it right".  On the third hand,
we're talking business here, and rationality doesn't always apply.  ;-/

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the VPN mailing list