>Carric Dooley <[EMAIL PROTECTED]> says
>That is a religious argument my friend. Personally I would say an
>application proxy is more secure, but harder to manage and slower. I bet
>this will spark off some sort of debate however.
I have installed and configured both application proxy servers and
stateful inspection firewalls. The list includes Firewall-I, Cisco PIX,
TIS Toolkit, and Gauntlet. Unless you have some very unusual security
requirements, both types of systems can be used to configure robust
firewalls. In many respects they are functionally equivalent. I believe
you can probably make an application proxy more secure, but given the typical
security a corporation wants or needs, the added security benefit is
probably lost in the noise of other issues.
I generally find application proxies to be cleaner and more elegant
from an implementation standpoint and therefore in theory less prone
to configuration errors. I find them easier than stateful packet filters
to manage. They also by their very nature do NAT automatically. The
stateful filters have to add NAT functionality on top of the stateful
filtering code which adds to the complexity.
Application proxies do have less thoughput for a given amount of CPU
horsepower, but that is not unexpected, since each connection has a higher
overhead. However, unless you have a pretty high bandwidth connection
(>10 mbps), the bottleneck is the bandwidth and not the firewall. And if
you can afford a high badwidth Internet connection, you can certainly
afford the CPU speed to handle the higher bandwidth.
Smoot Carl-Mitchell
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
