Line of Firewalls - Page 2

 By Lynn Haber | Posted Oct 7, 2000
Page 2 of 4   |  Back to Page 1
Print Article

Filtering Vs. AGP

What do today's IT decision makers need to know about currently available firewall solutions?

One of the most important things they need to know is that network performance is key. No matter how many applications get added to the network, and no matter how much traffic grows, firewall technology must be able to keep up with performance requirements. However, it's been a given, up until recently, that firewalls slow down the network.

Vendors compete to provide the best performance with one of two key mechanisms used for access control: filtering technologies, primarily stateful inspection; and application gateway proxy (AGP). Of course, as we stated earlier, there's a trend in the market towards a hybrid firewall that deploys both mechanisms. Still, there are vendors, like Axent, for example, that solely offer AGP-based technology.

The conventional wisdom is that AGP is more apt to slow down network performance for the simple reason that this mechanism, which examines interactions on a higher level, requires more cycles to do its job. That job includes inspecting commands at the application level. In a nutshell, AGP requires two connections. One connection occurs when there's a request for connection. The firewall catches the request and looks through its rules; if the request is OK, an AGP firewall establishes a second connection, which means the firewall sits in the middle while it governs the connections between the two points. AGP performance has improved markedly, and the technology is respected for offering stronger firewall protection than stateful inspection-based solutions.

We selected the Raptor firewall because we believe it provides the most robust and flexible solution for the bank, says Suncoast's Verzone. The Axent product also has the ability to separate the home banking piece as a separate subnetwork from the main campus network while still allowing it to be on the same physical network.

Although Verzone is a fan of AGP technology, he admits that the bank's network did take a performance hit when it instituted home banking, which averaged 30 to 40 seconds when internal users tried to access the Internet. At the time, the bank ran a full T1 connection. We lived with the degradation for a while then moved the home banking service onto a separate cable-based connection, which cleared up the problem, he says.

Filtering technology, on the other hand, looks at packets and makes authorize-or-deny decisions about making a connection. According to Schacter, vendors with filtering firewalls are doing a better job of examining more content, closing the gap with AGP. Users reportedly get performance advantages, as well.

Vendors like Checkpoint Software have enabled their firewall to run some AGP on some network traffic. CyberGuard also offers a hybrid firewall.

"For companies with little in-house security expertise or for companies of any size deploying firewalls in a small or remote office, the firewall appliance is a good solution that requires little baby-sitting. "

Firewall Appliances

Another major trend in firewall technology is the move toward the firewall appliance. Originally, firewalls were software solutions that required users to buy a platform to run it on, usually Unix or Microsoft Windows NT, with Unix being the favored over the two to offer better performance and stability. Today, however, most vendors have added firewall appliances to their line of solutions.

The black box approach packages hardware and software and uses proprietary operating systems. This turnkey approach is generally less expensive, and is easy to manage and administer. For companies with little in-house security expertise or for companies of any size deploying firewalls in a small or remote office, the firewall appliance is a good solution that requires little baby-sitting. By the same token, vendors don't provide the same kind of hand-holding for these products.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Networking Update Newsletter