On 3/19/07, Marcus J. Ranum <mjr@ranum.com> wrote:
> [...] if someone starts talking about PPS as a firewall
> benchmark, they may as well hold up a big sign that reads:
> "I DO NOT UNDERSTAND WHAT A FIREWALL DOES"
Meaning no disrespect, it must also be stated that many companies have
a business need for their networks to be both Secure and Fast.
I am reminded of the argument that Telnet is a terrible protocol,
because it has a huge amount of protocol overhead per byte of payload.
The protocol MUST operate that way to provide rapid user feedback.
Everything has its strengths and weaknesses.
Similarly, a layer 7 proxy does not provide any more security than a
layer 4 stateful packet filter - for a given protocol - if the layer 7
element does not enforce rules for that protocol. My favorite example
is ssh: port forwarding allows a lot of sins to be hidden from
centralized access control, but "it's encrypted, so it must be
secure." (Yes, there are ssh proxies that can address this, but
they're not a common feature in firewalls.)
Anyone who focuses purely on speed in a firewall will arguably gain
nothing, as any potential improvement in security is nullified by a
false sense of confidence. Anyone who completely neglects speed in a
firewall will arguably hurt their security posture by contributing to
the perception that security slows down your network, thus encouraging
end users - or even worse, CIOs - to attempt to bypass it.
-Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|