Thus spake Ryan Russell/SYBASE:
> This is because
> , by their nature, many of them store a signifcant portion of the document
> on it's way through, and hence, would make it easier to run through
> some script on the proxy server.
I don't think that's necessarily `by their nature', although I'll
concede that the vast majority of AGs deal with data with larger
granularity than the vast majority of SPFs.
> This would also be why they would
> tend to be slower.
I think it's because of:
- kernel->user->kernel data copying, since most AGs run in user space.
- doing more complex analysis/manipulation of the data, which
obviously takes more CPU time. (This includes the AG's TCP, if any.)
> I suspect that one will have a much
> easier time
> allowing a new type of service on a SPF than an AG.
Warning: ports are not always related to services/protocols in a
1-to-1 way. Current SPFs only really look at port and protocol info,
so you can easily end up letting something through that wasn't
intended, if the port->application mapping isn't what you think it is.
> Are there proxies that are as transparent as something like FW1?
You can make a transparent proxy (which is probably closer to an AG
than an SPF, by traditional behavioural criteria) which requires no
change to the client configuration. Usually requires kernel support,
I think.
Mike
--
#> Mike Shaver (shaver @
ingenia .
com) Ingenia Communications Corporation <#
#> UNIX medicine man -- dark magick, cheap! <#
#> <#
#> When the going gets tough, the tough give cryptic error messages. <#
#> "We believe in rough consensus and running code." <#
Follow-Ups:
|
|
