next up previous
Next: The rating system Up: Rating of application layer Previous: Rating of application layer


In the firewall vendor wars a great deal of energy seems to be spent in the marketing department(s) trying to differentiate products from each other. One typical way of rating a firewall is the number and/or type of proxies supported. This is often presented as a series of checkboxes or points similar to this:

So vendor with the longest list wins! Often vendors say they support a long list of protocols via a generic proxy. These generic proxies are more properly called circuit layer proxies, which are the most basic type of proxy. Security is generally better when the proxy knows more about the protocol. In the case of support for UDP-based RealAudio, RPC services, and FTP services, this protocol knowledge is required for the protocol be used securely.

What isn't clear from the bulleted list is how the firewall vendor intends to support the protocol. Do they have a proxy that is knowledgable about the protocol, or is it just a circuit layer proxy? The customer may be not be making a fair comparison.

Michael Richardson
Wed Nov 13 13:54:09 EST 1996