Firewall-1, whose roots are in packet filtering, is touted as a "stateful
packet inspection" application, meaning it looks above layer 2 to the
actual session context. Raptor, on the other hand, is a true application
proxy which works at the application layer and understands the application
itself as well as the session. Both have their ads and disads, of course.
In a nutshell, with a true application proxy, you get more stringent
security, usually (but not always) at the cost of performance. In other
words, for every application proxy daemon instance you run, it's another
hit on the platform resources. With a stateful packet inspector such as
FW-1, it is a single process usually, less resources, hence faster, at the
cost of some level of security. Just depends on what your particular
environment is. The other big advantage to a packet inspector is that you
do not have to write a proxy for each app you need to put through the
fireall. With a true application proxy, you either have to provide a new
proxy for each application, or you can use a generic proxy, which by
definition offers not a lot in the way of security, but still gives you
Just a few thoughts,
At 03:37 PM 2/19/97 +0000, Richard Lowe wrote:
>One of our customers is soon to buy a firewall, and we're wondering whether
>to recommend Firewall-1 or Raptor to them (there doesn't seem to be much
>difference in price).
>I'm told that Raptor is more secure since Firewall-1 comes from a Packet
>Filtering rather than application Proxy background. Is this true?
>Can anybody put their hand on their heart and make a recommendation?
>Richard Lowe, Internet Consultant/Administrator, Pindar plc
>Tel : +44 (0)1904 613040 EMail: R .
>Fax : +44 (0)1904 613110 http://www.pindar.co.uk
>Pager : +44 (0)1426 800403 ISDN: +44 (0)1904 673010
Laurie Bostic <a href="mailto:laurie_bostic @
Sr. Network Systems Consultant Pager : 1-800-467-1467
International Network Services V-Mail : (214) 392-3545 x176
Dallas Office <http://www.ins.com>