Proxies or Stateful Inspection? It's All About Features
Proxies versus stateful inspection: The debate rages on among firewall vendors and their customers. Proxy vendors contend that stateful inspection products are not secure enough. But this is not necessarily true--some can implement the same level of protection you'd get with a proxy firewall. Stateful inspection vendors counter that proxy products are not transparent to users and don't perform well enough. Likewise, the former is not always true with modern proxy firewalls. However, the performance complaint is true enough--performance is often the price you pay for heightened security.

To decide which technology is right for you, consider the particular features of each firewall architecture and decide whether they apply to your environment.

With proxy firewalls, you must establish a TCP session with the firewall itself if you want to access a service on the other side of the firewall. A "proxy" of the application being accessed then inspects the data that is transmitted. The dual advantage here is that you have a centralized location from which to deal with TCP level attacks, and one point from which to ensure that a hacker is not trying to exploit any vulnerabilities that may be associated with this application. If the proxy application detects no problems, the firewall establishes another connection with the destination device.

By contrast, a stateful inspection firewall also looks at application data, but instead of actually running the application, it scans each packet and sets up state tables to track information that spans multiple packets. The advantage of this method is that it eliminates the overhead of running every packet through the application, usually resulting in better performance. This, in turn, makes it possible to handle protocols that a simple packet-filtering router could not handle. Like proxy firewalls, stateful inspection firewalls can identify attacks at the TCP level.

Some stateful inspection firewalls, such as Check Point's FireWall-1 and Cisco's PIX, can scan for harmful SMTP commands, while the proxy-based AXENT Raptor firewall can scan for valid HTTP syntax with HTTP or identify URLs with more than 2,000 characters (which would help limit buffer overflow attacks). If you are confident that your destination Web server is already sufficiently secured, or that the protective measures in the Raptor product don't address the particular vulnerabilities that concern you, then the trade-off between performance and protection will come down in favor of the performance of the stateful inspection products in such a face-off.

We've listed many product features in our chart (page TK)--but do ask vendors for specifics about what their products protect you from, then determine how their products address your particular security concerns. If you don't get a straight answer, in writing, move on to the next vendor.