You're not off base. FW-1 was very well designed for speed. The inspect
engine runs in the kernel space, where it should. Application Layer
Gateways and Proxies run out in the user space and aren't going to get the
same CPU attention, especially under load.
Since I've openned my mouth (keyboard?), I might as well comment on the
Proxy vs. ALG thing, too. As the definition of a proxy was posted earlier,
it seems easy to me to understand what is and what is not a proxy. With a
proxy, there are two distinct connections...one from the browser to the
proxy and another from the proxy to the web server (in the case of HTTP).
Seems simple enough to me that when there's a single connection from the
browser to the web server, there's no proxy involved.
As for FW-1's security, well... I still can't believe its default
configuration. It's no secret that things like DNS and RIP get passed by
default and an explicit rule to deny everything doesn't stop that. Why
doesn't Check Point just change the default configuration to NOT pass them?
Whatever...I hope I don't regret posting this. :-)
-----Original Message-----
From: Carric Dooley [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 08, 1999 11:32 AM
To: Breach, Geoff
Cc: [EMAIL PROTECTED]
Subject: RE: Enterprise Level Firewalls?
Not that anyone cares.. but I MUST disagree. There is no way in HELL an
app proxy is faster than stateful inspection. To date, the fastest
firewall for just throughput is PIX (weighing in at something like 150Mb
throughput in testing by Network Computing a while back.. it's probably
faster now), and second would have to be FW-1 (particularly if you have it
on one of those "obscure Nokia routers" you mentioned in an earlier post;
some independant testing is under way that rates the IP 650 at around
120Mb's throughput).
At the axent site they are excited to have tripled their throughput from
13Mb's to 45Mb's.
Don't get me wrong, I know this number is NOT a definitive yardstick by
which to measure how "good" a firewall is, but to say Raptor and (god
help us all) GAUNTLET are "real enterprise firewalls" while FW-1 is a
"wannabe" is in my opinion LUDICROUS. If I had a project where I was
going the app proxy route, I think I would pick Raptor (since implementing
two year-old technology is not something I would do personally, I probably
wouldn't put Gauntlet in my tool box.. esp. after the one I saw at my
current site running on a Sparq Ultra 10 was "dogging itself out" with
around 2000 users so badly, many were using their modems to dial into
there ISP's because the performance was superior. The new FW-1 firewall
we implemented is SO much faster, we have since added another 1000
internet users, and the performance is still MANY times faster).
If you have performance stats or some whitepapers that would show me that
I am way off base, please forward them to me. If I am way off base here,
I will attempt to mend my evil ways, but until then, I am sticking to my
guns.
Carric Dooley CNE
COM2:Interactive Media
http://www.com2usa.com
"Luck is the residue of design."
- Branch Rickey - former owner of the Brooklyn Dodger Baseball Team
On Mon, 8 Nov 1999, Breach, Geoff wrote:
> > I am specifically looking for firewalls which would handle a
> > load of approx.
> > 500 - 1000 computers (Enterprise Level ? )- some of which
> > would access the
> > 'outside world' fairly often (email, web e.t.c.)
>
> There are arguably three decent firewall products that fit this
> bill well - well, two and a wannabe... Mind you, when you start
> asking product-based questions, you start a religous argument.
> Here's one man's (my) side of that argument:
>
> 1) Axent Raptor: The fastest of the three I will mention, despite
> that it is an application level gateway with full proxy for
> everything, including transparent proxy for UDP. Available for
> Sparc/Solaris, Intel/WinNT and (kinda-sorta) PA-RISC/HP-UX.
> Lots of authentication options, good VPN. Installs secure, and
> hardens the OS on the way in. Clustering options on both platforms,
> cross-platform management, integration with intrusion detection.
> Very secure, very fast, very flexible, my personal choice.
>
> 2) TIS (not Network Associates) Gauntlett Firewall. I'm not 100%
> up to speed on platforms, etc. I believe it is available for
> Intel/BSDI, Intel/WinNT and Sparc/Solaris. Again, an application
> level gateway - the oldest, most respected firewall around.
> Not as flexible as the Raptor, I don't know performance
> figures. My second choice.
>
> Those two are proper, real-world, serious firewalls. Both quite
> secure (when properly configured of course). I have heard some
> noises of late that are concerned about how committed Network
> Associates are to the Gauntlett product, and whether they will
> continue support as TIS did - only time will tell there, but I
> have no qualms with either of those two.
>
> Both perfectly capable of handling your performance requirement.
>
> 3) Checkpoint Fireball-1. Not a proper firewall, despite what
> the marketeers would have you think. Available for just
> about every platform you can think of, including obscure
> things like Nokia routers. It is a statefull packet filter, with
> a bit of application level filtering thrown in as an
> afterthought. Much slower than the Axent Raptor in any
> apples-for-apples comparison, despite that on theoretical
> grounds, it should far outperform the Raptor. The Checkpoint
> does have market share, but that's more a result of marketing
> success than technology. It is very good at network address
> translation, particularly if you have complex NAT requirements.
> It contradicts itself somewhat by having a very nice 'firewall
> for dummies' user interface, but at the same time a few hidden
> traps for young players. Ships and installs insecure, and
> requires detailed attention to put it right. Not bad in the
> hands of a skilled security professional, but pretty damn
> dangerous in the hands of a new player. I wouldn't piss on
> it if it was on fire... Well, maybe I would... :-)
>
>
>
> In a nutshell, that's the product space I think you should be
> considering. As another poster has already mentioned, there is a
> lot more to this argument - I've only presented a little bit.
>
> HTH,
>
> Geoff
> --
> CREDIT | FIRST Geoff Breach, [EMAIL PROTECTED], +61293944040
> SUISSE | BOSTON Global Network Services - Asia Pacific Engineering
> Opinions expressed herein are mine, not my employer's
>
> This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. CREDIT SUISSE GROUP, CREDIT SUISSE FIRST BOSTON, and each of
their subsidiaries each reserve the right to monitor all e-mail
communications through its networks. Any views expressed in this message
are those of the individual sender, except where the message states
otherwise and the sender is authorised to state them to be the views of any
such entity.
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
