McAfee’s Acquisition Reminded Me That Proxies Generally Suck

2,230 people reacted 1 4 min. read
Nir Zuk

By

Category: Firewall

Tags:

A couple of weeks ago, McAfee acquired Secure Computing for $465M. For those who missed the irony in it, McAfee had previously sold a big portion of its network security business to Secure Computing, leaving many customers in the lurch. Now, with this latest acquisition, McAfee is getting a messaging security business (originally Ciphertrust) which is getting its ass kicked in the market by Cisco’s Ironport, and a network security business which is based around Sidewinder, a proxy-based firewall with a market share of less than 1%.

My prediction? Like a smart co-worker of mine says, in these situations physics does not apply and two rocks tied together sink faster than one.

This whole thing also got me thinking about proxies and their role in network security. If you think about it, proxies are not a natural choice when it comes to networking. They are slow, they add significant latency, and they break all applications for which they are not specifically designed to support. Proxies have traditionally supported very few applications due to the need to pretty much redevelop an entire application – both client and server – to support it. So why are proxies being positioned as a network security tool?

I have heard many reasons throughout the years why proxies are better than traditional packet-based firewalls. But the reality is that proxies have never dominated the security market, and proxy companies have generally not done very well. This includes TIS, which ended up being McAfee’s firewall, then got sold to Secure Computing, but is now returning back to McAfee (yes, my head is spinning just reading it). This also includes Secure Computing’s Sidewinder, Raptor (which was killed by Symantec), and other minor, irrelevant players you probably have not heard about.

At one point, TIS excused its proxy’s limited market acceptance by saying Check Point had a better GUI and was easier to manage. I have a different perspective: Proxies have failed because they are hard to use and not because they are hard to manage. Putting a proxy on the network puts unnecessary restrictions on the business, as to what the Internet can be used for. With a proxy, the business is limited to using only the applications that the proxy supports. Consequently, a proxy limits the business instead of enabling it!

Anyway, back to the arguments of why proxies are supposedly better than packet-based firewalls. All these arguments are centered on a single point – proxies are better than packet filtering firewalls because they are more secure. The evidence for this claim ranges from borderline ridiculous (such as that terminating a TCP connection and opening a new one while merely copying the data makes the connection more secure) to the more reasonable arguments (proxies perform protocol validation which can prevent some exploits against servers). This last argument is pretty much the only reasonable argument I have heard about why proxies are better than packet-based firewalls. Of course, all modern Intrusion Prevention Systems do the same without the drawbacks of a proxy thus rendering the need for a proxy questionable.

With all that said how come McAfee paid so much money for a proxy? And why is BlueCoat still selling a lot of their proxies? The answer IMHO (well, scrap the H) is that enterprises are facing a new security challenge that traditional packet-based firewalls cannot address. I have previously talked about this need in my blog – the need to control users and applications. Proxies can provide 20% of the solution, but that means 80% of applications cannot be controlled by a proxy (again, this places restrictions on the ability of a business to leverage the Internet). Even worse, there are also proxy-bypass applications out there that will run everything through a proxy. But even with these limitations, there are still some customers that continue using proxies because they feel an urgent need to control users and applications.

However, I am seeing a trend of enterprises trying to find a better solution for controlling applications than a proxy. Even BlueCoat recognizes this and is now moving from security towards application acceleration. This trend is a result of two things – awareness of how proxies can’t really control applications (proxy bypass programs, non port-80 applications, etc) and more importantly, more and more applications cannot work through a proxy. In the end, all of this exacerbates the need for a security solution that is genuinely effectively in controlling all users and applications.

Nir.

4 Reader Comments

  1. Nice blog – I think you summed it up best in that the only reason why proxies are still around are because most packet-filters are just too easy to fool (i.e. blind and stupid). Most companies go the packet route because they would rather have the speed and freedom. Not high-security organizations like government, military, and healthcare though – they would rather dump money into making their proxies faster.

    However…it seems like the proxies have realized that their performance sucks and so have added packet filtering where needed. And the packet-filters are also putting application-layer controls into their products. At least they are moving towards a common goal…

  2. First of all, about the McAfee’s Acquisition, I think their main problem was that they always present themselves as Network Security vendor, while they do not have the basic component in any network security solution, the Firewall.However IMHO, (well, scrap the H), Fortinet would have been more suitable for them

    Now let’s talk about the proxies, I totally agree with you that proxy firewalls is a dying technology. But the only think I can see them capable of doing, while Stateful Firewalls or even IPS’s lack, it the inspection of Application Layer Payload of the Encrypted Traffic. Proxies sometimes offer an ugly but valid solution for this issue as they can act as a MITM in order to inspect that encrypted traffic. And I believe Firewall vendors shall work on this in order to be able to detect attacks in Encrypted Traffic such as HTTPs or even Skype and Encrypted BitTorrent.

  3. To proxy or not to, well of course you would like to proxy for controlling the flow of traffic outbound and inbound. Performance can be addressed but all depends on budget and architecture. So the question is how does the proxy deal with applications tunnelling through port 80, 8080 etc? It all falls into defence in depth strategy i.e. traffic is analysed by an application aware appliance and only forwards legitimate traffic to the proxy, like an application filter. Delay introduced is a perception of end user. Encrypted traffic analysis can be addressed subject to “risk sign off,” providing a “Man In the Middle” session analysis, dilemma of data protection and country laws.

  4. As someone who has actually configured many Sidewinder firewalls, I have to say that you should try to use one before commenting on them.
    Yes, application/proxy based firewalls are harder to implement, especially if you are a novice, but Secure/McCrappy makes this pretty straightforward. And yup, there are filters for those protocols you just can’t get to work on a proxy.
    The only real issue I have come apon is friggen Skype or FTPS. Skype will work via https, but will still try to hammer it’s way though the firewall on other ports and FTP/FTPS is for the clueless…use SFTP instead.
    I can’t say much for other proxy based firewalls, as there really aren’t any.

Got something to say?