In my time using Raptor firewalls in various configurations, I have yet
to see any signifigant performance loss. With a web server behind a proxying
firewall, you need to be concerned, otherwise, an ultra 1 (configuration
varying depending on the organization) should be able to handle everything
without any performance loss.
On Wed, 19 Feb 1997, Laurie Bostic wrote:
> Firewall-1, whose roots are in packet filtering, is touted as a "stateful
> packet inspection" application, meaning it looks above layer 2 to the
> actual session context. Raptor, on the other hand, is a true application
> proxy which works at the application layer and understands the application
> itself as well as the session. Both have their ads and disads, of course.
> In a nutshell, with a true application proxy, you get more stringent
> security, usually (but not always) at the cost of performance. In other
> words, for every application proxy daemon instance you run, it's another
> hit on the platform resources. With a stateful packet inspector such as
> FW-1, it is a single process usually, less resources, hence faster, at the
> cost of some level of security. Just depends on what your particular
> environment is. The other big advantage to a packet inspector is that you
> do not have to write a proxy for each app you need to put through the
> fireall. With a true application proxy, you either have to provide a new
> proxy for each application, or you can use a generic proxy, which by
> definition offers not a lot in the way of security, but still gives you
> good logging.