Review: Deep Inspection Firewalls

    Date06 May 2005
    Posted ByBrittany Day
    If it were on public display, this portion of our Firewall Blowout would be the geek equivalent of the Chicago Auto Show. Our Chicago Neohapsis partner labs focused on the muscle cars: enterprise-class, gigabit-capable network firewall appliances and turnkey systems that support high-availability stateful failover, VPNs and centralized management as well as DI (deep inspection), which we define as having the ability not only to perform stateful packet filtering, but also to inspect packet payloads higher up the OSI model using specific attack signatures and Layer 7 protocol engines.

    Historically, firewalls have been assigned blue-collar access-control duties while IDSs (intrusion-detection systems) take on the sexier task of inspecting data traffic for signs of attack or anomalous packets. But over the past couple of years we've seen rebuilds in the firewall space reminiscent of old rods being retrofit with superchargers and nitrous oxide. Gone are the days of sedate firewall packet filters; now only the fast and the furious can compete. The streets are owned by smart firewall appliances at various metamorphic stages of incorporating intrusion-detection and intrusion-prevention functionality.

    When we set out to investigate the pros and cons of buying the latest and greatest firewall muscle, our scenario was deceptively simple: We built a three-tiered architecture with an Internet, a DMZ and an internal network. Because we were simulating an enterprise setting, we asked vendors to send redundant hardware. We tested VPN throughput with two identical firewalls in a site- to-site gateway configuration. All other testing was performed in high-availability mode with dual firewalls in active-passive configuration. We specified 500-Mbps throughput and the ability to manage and perform under 50, 250 and 500 firewall rules.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.