[Samurai]

Quote:

Originally Posted by given2fly

"Each HTTP request is a new connection", this statement is a news to me. It purely depends on what you are trying to do & what kind of environment you have. If you have load balancers, things will change. If you have cookie based connections, connection will remain alive and persistent. If you are hosting just web pages, every connection completes its cycle in one go and opens a new channel on new requests. So please don't club all into one. We have enough techies here who can differentiate between such statements.

Hey, wait. I have been using HTTP protocol for data transmission even before they coined the term web services for that, since 1999 I think. And we still heavily use HTTP protocol for GET, PUT, HEAD, etc. Therefore, I don't find anything wrong with Each HTTP request is a new connection statement. In fact cookie based connections are a layer above which makes it look like single connection. Since our windows services can't don't use the browser, we manage the session cookies ourselves so that connection looks live. Often one cookie session can span mulitple socket connections. For example, if any application is trying to send 100 files, we need 101 connections. First one to authenticate and get a session cookie, and then hundred more connections where the client keeps sending the cookie along with every getNextFile request to maintain the session.

The only case where the connection remains open is http streaming, which I don't use much, but even that doesn't allow multiple requests. Therefore, in my not so limited experience of programming HTTP/HTTPS, every request is a new connection. If somebody was able to send multiple HTTP requests in a single socket connection, it is news to me, I would love to hear how it is done.

Generally, displaying one page of web involves dozens of new connections. For example, just showing the first page of Team-BHP forum may involve 30-40 connections. That is why browser caching (with expiery date) is so important to avoid so many connection.

[given2fly]

An interesting read in this same direction.

Cisco's IOS vs. Juniper's JUNOS - Network World

BTW, just found that JunOS is not their standard on SMB machine, but it is ScreenOS. But still better than CISCO sprawling multiple avatars of its IOS.

[jp1]

I am using Redhat linux with IPtables for the firewall. This is running on an old Pentium PC and my web server, ftp etc runs inside the DMZ via DNAT. I am not an expert, but managed to build a firewall (it is fun if you have time at your disposal), my assumption is that it pretty safe.

[NetfreakBombay]

Quote:

Originally Posted by Samurai

HTTP/HTTPS, every request is a new connection. If somebody was able to send multiple HTTP requests in a single socket connection, it is news to me, I would love to hear how it is done.

Generally, displaying one page of web involves dozens of new connections. For example, just showing the first page of Team-BHP forum may involve 30-40 connections. That is why browser caching (with expiery date) is so important to avoid so many connection.

That changed with Http 1.1 in 1999. Browsers started implementing it around 2001/02.

HTTP 1.1 brought Keep-Alive which enables a TCP connection to be reused across http requests. Its easy to check that with Ethereal or any other packet capture utility.

Things changed last year as well. Now, default install of IE will not open more then 2 simultaneous connections to ANY server. So if you :

1. Clear cache
2. Start Ethereal
3. Open T-BHP home page

You will not see more then 2 Connections in Ethereal . On these connections, multiple GET/POST requests will be sent. You can increase number of simultaneous connections if you want by tweaking registry.

Or you can open a command window and do netstat -a while page is being opened.

EDIT : Wikipedia page on this : HTTP persistent connection - Wikipedia, the free encyclopedia

[Sankar]

Quote:

Originally Posted by NetfreakBombay

HTTP 1.1 brought Keep-Alive which enables a TCP connection to be reused across http requests. Its easy to check that with Ethereal or any other packet capture utility.

Ethereal is now Wireshark. You can download the utility from wireshark.org, a must have on every network engineers pc.

Or use good ol tcpdump if you're on a Unil/Linux/BSD.

[given2fly]

Since Samu has started this thread, I haven't got to rest yet without digging a little more on latest trends in Firewalls. Came across following links. One is a hilarious video comparo between Juniper and Cisco & other is a blog by someone.

Juniper SSG vs. Cisco ISR

(This is rather high end routers, but it could be that Cisco may actually go that way with low end products as well).

Juniper SSG vs Cisco ASA and PIX Firewall Comparison Network Exchange

One more thing, if you ever come across reviews from Miercom or something like that (by Brian Reese), stay away. He is quite openly biased.

[jassi]

ok theres been quite a few posts so difficult to quote all of them, but here are some pointers

1) Checkpoint still leads the firewall/vpn market with cisco in a close 2nd. The overall network security appliance market leader is however cisco and it has been like that for quite sometime now. This is from the latest market share reports, which are published by independant analysts tracking the security market. Cisco is followed by Juniper and Checkpoint in the overall security appliance market. Don't ask me to share this report, as these are not free for use, they need to be bought and cannot be published for outside office use.

2) Microsoft does not figure anywhere in the vpn/firewall software market - definitely not in the top 10. The point remains that ISA started out as a proxy and then in a last ditch effort to capture the security market, MS made ISA do other firewall-like things. The point still remains that most security practitioners will not recommend the ISA as a primary firewall as it is running on a commercially available general purpose server OS. The number of souls trying to find vulnerabilities in MS OSs are an order of magnitude as compared to other OSs. Now take an appliance which is running a customized rewritten OS designed specifically to do the job of a firewall and you get performance as well security benefits (less people are interested in finding vulnerabilities on custom OSs vs MS). No one writes error free, vulnerability free software, but yeah the principle of "security by obscurity" helps. In a security deployment, every bit helps and its a well know fact MS ISA can be a secondary firewall/proxy but not your primary firewall.

3) Cisco ASAs did have some teething issues when they were launched in 2004-5 timeframe, but PIXes were always stable and not immediately replaced by ASAs. Once ASAs become stable PIXes were end-of-lifed. This is the most common FUD created by Cisco's competitors on buggy software. Cisco for one is the only company which does builds and releases with a stability tag. The latest and greatest builds are for features and the slightly older builds get a GD tag (read general deployment) and this is what is used by most large SPs, enterprise, defense and govt. customers. Golden advice is unless you need a specific feature which is not on a release certified as GD or ED don't goto the latest release.

4) Its true the higher end ASAs don't include IPS/AV, but is there a 10gbps throughput requirement in Samurai's case ?? A 10gbps firewall is deployed in a large datacenter as an internall firewall, who does URL filtering and AV on a datacenter firewall ?? No one plonks a UTM box in their core network. Multifunction UTM boxes are for perimeter security and thats where you don't go over 1gbps as of today. Most ISP links don't exceed a few 100mbps at best. For a higher end environment, like a datacenter serving internal environments, you will have adequate seperation of duties and functions as a basic security principal, which means a seperate firewall and IPS doing multi-gig throughputs.

5) Fortinet may suffice for smaller deployments, but don't make the mistake of turning on all their features, you will suffer severe degradation in performance.

6) For ASAs, the AMC charges are typically to a max of 10% of the list price of the box. This includes 24X7 TAC support for opening cases and next business day replacement if things go really bad. Besides they have godowns all over country and in most cases if you are with a good Cisco partner, they will give you much more for much lower AMC prices (i have even heard the partner will provide a replacement from their godown and do a backfill with cisco)

7) Like i said before - no one writes bug free software, but your exposure is reduced by an order of magnitude if you are not running a general purpose server OS as your firewall software. Besides in this day and age of high packet rates and connections per second, a custom rewritten OS is much better as a firewall than MS. Linux for one can be significantly tuned, but most firewall vendors prefer to the write their own OS. The firewall vendors understand the importance of a secure and high performance firewall OS and most of the vulnerabilities in these OSs are well published and fixes provided quickly (in a few hours)

8) Cisco ASAs don't run on x86 server hardware, they use multiple cores or multiple processors and distribute functions across different hardware modules. ASIC based firewalls have a problem in terms of performance when multiple functions are turned on - firewall, application inspection, vpn, ips, etc as they do some sort of software emulation when the number of requests or functions go above what the ASIC is designed for. There are drastic drops in connection rates and throughputs on ASIC based architectures. Cisco and Checkpoint didn't go ASICs, because they decided to use oversized general purpose processors on hardware appliances heavily tuned to a firewall environment. The low number of vulnerabilities and hardware performance of an ASA cannot be compared to an ISA running on a general purpose OS and server hardware. I have configured and use ISAs in the past and know their limited potential as a core firewall, all I would recommend ISA for is a proxy/2ndary-firewall behind a checkpoint/cisco/juni box. Fortinet as an ASIC box is a no-no, Juniper is much better than Fortinet though.

9) Whether or not http is a connectionless protocol, may have changed. However what has not changed is the growing number of connection setup rates and max simultaneous connections needed on any firewall protecting public facing webservers. In this day and age of web 2.0 environments, with search engines, crawlers and 1000s of users accessing your site, you need the ability to handle those connections. You can compare the cisco ASAs from a connections point of view to any other vendor and they will be far ahead by a large magnitude when it comes to this parameter. Cisco even go ahead and publish real world performance numbers (for high transaction http environments) on their datasheets. Most vendors don't do that - they just publish a udp drag strip number, which is large udp packets sent through the box with no firewall policies turned on. Unsuspecting customers buy the Juniper/Fortinet boxes and then realise performance is nothing like what they said on the datasheet. Cisco and Checkpoint are the only ones being honest on their datasheets.

10) True you can get a hardenend ISA appliance with win2k3 hardened and all unnecessary services removed. However you are still no where close in performance and security (lack of vulnerabilities) as compared to a custom OS. Also what is the cost of these ISA server appliances - anything within a few 100 dollars?? Again I don't see these ISA appliances on the security market share reports for the last quarter.

11) I am not a CCNA or MS certified, but I have used most security appliances over the years. Besides as I said I am Checkpoint fanboy as far as GUIs go, but then at the cost of a few hundred dollars what cisco gives is really good. If you have seen the latest ASDM software variants (version 6.1) they are really good. So the statement that I am selling Cisco because I like it doesn't hold good here.

12) No point in comparing JunOS to Cisco IOS here, as the ASAs do not run IOS. Juniper intends to move all their boxes to JunOS from ScreenOS (as their firewalls came from netscreen acquisition). This is the biggest turn off for a large number of security guys, as this means a significant re-learning if the OS is swapped on some of the models. But the bigger pain is most of the ScreenOS will not be upgradeable and will have to be thrown out the window!!

13) You can call Cisco just a ROUTER company as Cisco has only invented the router. They acquired switching companies, security companies, etc etc. Infact they may have held some records for the largest number of acquisitions made by a technology company (127 so far). This is because they want to only get into markets as the no. 1 or no.2 and build from there. Besides they are most successful at tearing apart each acquisition and using each and every bit of their software across all their product lines. Did EMC do that with RSA or did Symantec do that with Veritas - they just acquired and left the company to run on their own. Where-as cisco takes each of its acquisitions and spreads the technology/learnings across its products. So yeah they do routing and switching, they are the only ones with an end to end security architecture (from network security to endpoint security to security management), they are number 1 in the enterprise telephony and webconferencing (webex) market for the last few years, and number 2 in unified messaging (unity) and contact center telephony, no. 1 or 2 in web app acceleration and firewalling and wireless market!!
Look up the latest synergy, gartner, idc, infonetics, etc reports.

14) No point in comparing Cisco ISR - it is a router with security functions not a true firewall. Works well as a first level basic filtering device in front of a true firewall like the ASA or Checkpoint.

15) It is a never-ending discussion to compare firewall vendors, no matter how much market info is there, someone will always find out some FUD on each vendor. But one point which can be checked is if the firewall is certified by an independant authority for specific types of usage. Don't look at ICSA certifications - because they are a pure pay and play certification (owned by verizon). Look for Common Criteria (CC) EAL4+ certifications on firewalls. CC is an open testing lab funded by major governments (Common Criteria - The Common Criteria Portal) and defense organisations and India is a consuming participant of this certification organisation (Members of the CCRA - The Common Criteria Portal). Almost all vendors have a CC EAL4+ certification Certified Product list. - The Common Criteria Portal . But what people miss about CC is their target of evaluation for that certification. You can get a CC EAL4+ for basic firewalling or a CC EAL4+ for advanced firewalling features, secure management, application inspection, etc etc. Check the comprehensiveness of the security target (ST) for Microsoft ISA 2004 or Juniper or Fortinet vs Cisco ASA. You will have the answer right there on what is the best corporate firewall, which has been tested most comprehensively. The CC certs are influenced, validated and used by extremely sensitive environments like defense orgs, governments all over the world. Commerical orgs or vendors are not allowed influence or pay through any of the test results. So this should be the final resource for valiation the security state of any technical product (firewall, ips, AV, ip phone, OS, wireless router, etc etc anything)

16) Linux iptables is amongst one of my favourites, is a good firewall compared to ISA anyday, provided you can set it up right. Don't expect fancy GUIs, or advanced functions or support or any comprehensive testing done. And yes for a public facing web server, you will need atleast some server to run iptables or ipfw, for the cost of which you could buy a solid firewall appliance anyways with all the geewhiz bang features and support you ever needed!!

17) what a long post

18) phew

[Samurai]

Thanks NetfreakBombay. Since I designed all our Internet classes in 1999-2000, there was no question of using HTTP1.1 version. All our products run on those highly field tested code, no point messing with it. For future products, I guess I''ll consider persistent connections. Damn, everyday I learn a new thing on Team-BHP.

Jassi, jaise koi nahin. Thanks for the long version. Very informative.

[Ritesh Nair]

I guess Jassi you are right that there is always a problem with one or the other solution. Cisco is a good firewall, requires you to know rocket science. Netscreen and others give you the gui to do it. I prefer something that is a combination. Guarded by Iptables you can have a second firewall that does something you want it to do. I prefer to manage IPTABLES with the Webmin interface (when someone asks me to help, though i dont manage firewalls at , and hence I should not be discussing these things).

I think a single firewall may not work too well all the time but if you do the right stuff post a detail study it will help you achieve your goal . (provided its not making anything foolproof, cos fools are so ingenious.)

[NetfreakBombay]

Quote:

Originally Posted by Samurai

Since I designed all our Internet classes in 1999-2000, there was no question of using HTTP1.1 version.

Don't get that. Unless you are doing fairly low level things, your code should already be working with HTTP 1.1. That is because newer browsers will send http 1.1 request by default and Apache/IIS etc will honor it.

Few edge cases I have come across are related to code that does not set Content-Length. Then browser would not know the boundary between different responses and end up closing the connection.

[Samurai]

Quote:

Originally Posted by NetfreakBombay

Don't get that. Unless you are doing fairly low level things, your code should already be working with HTTP 1.1. That is because newer browsers will send http 1.1 request by default and Apache/IIS etc will honor it.

What browser? There is no browser. I am talking about C++ programs that directly talk HTTP/HTTPS protocol to web servers.

[NetfreakBombay]

Oh, no point in touching that code...

[autoenthusiast]

Phew Jassi, that was a long post.

In terms of the Cisco ASA and PIX, I totally agree and have for years seen and worked with some of the latest Cisco technology. Cisco firewall products are very good and very very stable.
I have seen the Cisco PIX run for 490+ days without a single reboot and believe me it was very stable with not a single hiccup all through, passing a huge amount of traffic and connections with a large flow of data.
No way can you accomplish that kind of uptime using a windows based operating system, which is one of the reasons I'm not in favour of software firewalls that run on operating systems.
In my opinion a firewall should always be a device that's built from down to top to perform that particular function, and that's what a hardware firewall just gives us.

[greenhorn]

A bit off topic, I've learnt more about networking from this thread in one day than several tech forums over a few years, and to think, from an automobile forum !

[Samurai]

Quote:

Originally Posted by autoenthusiast

I have seen the Cisco PIX run for 490+ days without a single reboot and believe me it was very stable with not a single hiccup all through, passing a huge amount of traffic and connections with a large flow of data.
No way can you accomplish that kind of uptime using a windows based operating system, which is one of the reasons I'm not in favour of software firewalls that run on operating systems.

I agree windows isn't the best. But uptimes are not an issue.

Two years back I got an emergency support call about a windows service I had written in 2002. The problem, it had vanished. It was running on a Win2000 server churning out medical record transactions on a continous basis. The client was supposed to maintain the machine, they had the sysadmin taking care of patches, etc. This client is in upstate New York.

Me: Tell me again, what happened?
Lady: Today when I noticed the link-down status, I was very surprised, it has been so stable all these years. So I went looking for it. Our admin, you don't know him... er... he thought this server was lying unused. So he reformatted the hard-disk and put some other OS on it.
Me: But Adam knew about it, why didn't your admin ask Adam?
Lady: Oh, Adam quit two years back, this admin is his replacement.
Me: That means this Server was untouched for two years.
Lady: Yeah...

We had similar experience with another server of ours, that lasted 3 years before some admin disconnected. But that was a HP 9000 series server, running HP-UX.