Marketing is a necessary evil, as is Lawyers. I strongly suspect that a
survey of who chose what firewall, would reveal that a greater percentage of
technically knowledgeable people choose TIS (or other proxy firewall), and a
greater percentage of non-security people choose Checkpoint (or other
enhanced packet filters). Unfortunately it's the same sort of thing that
made more people choose Windows 3.1 vs. MacOS.
It is a misrepresentation to say that state-based filtering mechanisms
provide security anywhere near the superior security offered by proxy-based
firewalls. My biggest beef with 'state-based firewalls' is that a
state-based filter cannot rewrite packets, it passes packets through,
leaving the internal network exposed to various packet attacks. A
state-based filter also does not have the application code to intelligently
filter application commands. A state-based filter is not necessarily faster
than a proxy firewall, and I worked with one customer who recently pulled
their Ultra2/200 running FW-1 because it became overwhelmed with traffic,
and tech support was not able to resolve the problem, where it locked up and
required a reboot a few times a day. Caveat: Their 'service provider' box
behind the firewall was a multiprocessor DEC Alpha on 100Mb ethernet, and
tech support thinks there may have been a sizing or compatibility problem.
Fred Avolio is a well known and well written security expert, and does
certainly know his stuff. I would certainly be wary of a person who claims
to be a security expert, though has not known (of) Fred a long time. If you
must challenge his statements, it's wiser to do so privately than publicly.
A question was asked about the trustability of binary code (executables)
where no one outside the company could review source code. Answer: You
can't. You must blindly trust the company to secure the code up to and
through compile. If you're a government or 'national infrastructure'
entity, it's much deeper question on who you can trust.
The improved techniques a firewall uses can be peer reviewed, and if a
technique does not pass muster via peer review, it ain't an improvement.
P.S. - Went on an interview at USWEB for 'security consultant' position
early this year, the interview was basically over (with the Technical
Director, ex-Novell guy) once I eventually admitted my favorite firewall at
the time was Gauntlet ("It depends on the customers' needs", didn't work).
It seems they didn't think I knew much about firewalls. ;) I'm curious to
know what firewall they recommend.