Network Computingwww.networkcomputing.com

Proponents of proxy technology argue that it is inherently more secure because the applications built to intercept communications for specific protocols will explicitly allow only necessary, secure and valid operations. The stateful inspection camp claims its technology can achieve security equivalent to what's possible with proxy technology, without subjecting traffic to the performance penalties incurred from replicating each application on the firewall. In our tests, AXENT's Raptor, which had the best proxies, exhibited some security controls that were absent in FireWall-1, which was the best stateful inspection-type product--but Raptor paid a price in performance to achieve this.

Another disadvantage of proxy technology is that you are at the mercy of the vendor to write a proxy that supports every application you need. Although all the proxy vendors in our tests managed to provide access for protocols they did not support, their generic proxies did not add any value because there was no corresponding application to inspect the traffic. And what's more, the generic proxy itself incurred the same performance hit.The pros and cons of proxies and stateful inspection are examined further online at www.networkcomputing.com/921/921f2side2.html.

In addition to Check Point's FireWall-1, the firewalls from Cisco, NetScreen and NetGuard all use the stateful inspection method. Overall, we found that these products generally performed better than the AXENT, CyberGuard and Secure Computing products, which use proxy technology. In fact, Cisco's PIX performed at close to wire speed (see "How We Tested Firewall Performance," page 76).

Other Observations While troubleshooting some connections on either side of the proxy firewalls with multiple protocol analyzers, we noticed that it was much more difficult to follow the data than it was when using the stateful inspection products. The reason is that the source ports and sequence numbers normally used to identify a packet in multiple locations changed when the packet header was rewritten, making the packet much more difficult to identify. We were forced to sift through the data layer for clues to help identify the packet. If you have ever attempted to observe the status of packets on multiple points in a network, you will know this task is difficult enough without adding another layer of complexity. Keep in mind that when using NAT (Network Address Translation), you will run into similar complexities when attempting to diagnose problems, since the packet header has to change.

We did not test each vendor's ability to protect a network from an attack, since all the products are certified by the International Computer Security Association (www.ICSA.net), which has a full-time staff and a suite of tools dedicated to this testing. We did not feel we could add anything to their efforts. Even so, don't be lulled into allowing any more access than is absolutely necessary, and remember to systematically eliminate all possible vulnerabilities on machines behind the firewall to prevent one compromised machine from becoming a base of operation for completely undermining the integrity of the firewall.

All seven products performed NAT, which hides the addresses of all devices initiating connections from inside your network by converting their source address to the firewall's external address. This is a necessity if you change ISPs and don't own your own address space, if you use an unregistered address space, or if you simply want to communicate on the Internet without revealing details about your internal network. When you want to allow outside access to servers inside your network, you can provide additional external addresses that are directly mapped to the corresponding internal address.

A firewall is an obvious place to set up VPNs. All the firewalls we tested, except NetScreen-100, had this capability For an Adobe Acrobat format, (see "Firewall Features," page 84). The NetGuard product was the only one that did not suppport IPSec (IP Security). Only Raptor and FireWall-1 had achieved certification from ICSA for their IPSec implemention. The PIX, CyberGuard and FireWall-1 products all offer the option of off-loading the CPU-intensive process of encryption to a separate card.