Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Security
R E V I E W  
Application-Level Firewalls: Smaller Net, Tighter Filter

  March 21, 2003
  By Mike Fratto


>> continued from previous page

Check Point Software Technologies FireWall-1 NG FP3
TOC Issue TOC
Printer Print full article
Printer Print this page
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author
 
  In this article
arrow
 Introduction
arrow
 Testing App-Level Firewalls
arrow
 Secure Computing Corp.
arrow
 Check Point Software Technologies FireWall-1 NG FP3
arrow
 Other Products Reviewed
arrow
 Executive Summary
arrow
 How We Tested
arrow
 Glossary & Web Links
arrow
 Report Card

OK, how many of you know that FireWall-1 NG has application proxies? Not many, I bet. Check Point has been putting in application proxies--Security Servers in Check Point parlance--since version 4.0. We found a huge difference in HTTP performance when Security Servers were active as compared with performance when they were inactive. HTTP performance took a dive when we enabled application scanning, highlighting what we knew all along: Application filtering is much more resource-intensive than stateful packet filtering. However, the price is worth paying because the protection you get with application proxies is much better.

The FireWall-1 management GUI still offers the same rule-based paradigm. It's clean and easy to use and the logging is better than what you'd find with most other firewalls in terms of detail. Symantec's Enterprise Firewall is one that provides more detail. If you want to blend application proxies with stateful packet filtering, FireWall-1 will provide good protection and performance.

Security Servers are added via the resource mechanism. In the resources area you can configure specific protection features, such as URL length for HTTP or MIME types for SMTP. Once the resource is configured, it is added to the rule base just like a regular service and you're done. The types of protection are configured in the SmartDefense dialog for the particular resource. Using HTTP as an example, the HTTP Security Server SmartDefense options are applied to all HTTP Security Servers or to one selected in the rule base. Here we could choose to enforce URL lengths and HTTP Header lengths as well as enforce the use of ASCII characters in the HTTP request and response headers. Because Web server buffer overflows tend to use long strings in header fields and/or pass non-ASCII data in the header, these two selections should block requests that are not HTTP-compliant.



Check Point's SmartDashboard

click to enlarge
During our performance tests, FireWall-1 NG operated at 766 Mbps during stateful packet filtering. Once we enabled the Security Server, performance dropped to 122 Mbps. It's the same old trade-off--performance versus protection. Bear in mind, however, that using application proxies is not an all or nothing option with FireWall-1 or any of the firewalls we tested. It's possible to mix and match proxy and stateful packet filtering in the same rule base to balance protection and performance on a per-rule basis.

FireWall-1 NG offers other protection mechanisms besides the Security Servers. Some types of attacks--including URL regular expression matching, IP spoofing, DoS (denial of service) attacks, and other network- and transport-based anomalies--are caught in the kernel without the need for Security Servers. This translates to improved protection without sacrificing performance.

FireWall-1 NG has a good mix of both performance and protection, however we think that Sidewinder with it OS type enforcement, split DNS and SMTP, and H.323 application proxies puts it over the top. If you're a FireWall-1 user, try to eke out some more protection without hitting performance too much.

FireWall-1 Next Generation Feature Pack 3, Check Point Software Technologies, (800) 429-4391, (650) 628-2000. www.checkpoint.com

start top  Secure Computing Corp. Other Products Reviewed 

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers