McAfee’s Acquisition Reminded Me That Proxies Generally Suck

A couple of weeks ago, McAfee acquired Secure Computing for $465M. For those who missed the irony in it, McAfee had previously sold a big portion of its network security business to Secure Computing, leaving many customers in the lurch. Now, with this latest acquisition, McAfee is getting a messaging security business (originally Ciphertrust) which is getting its ass kicked in the market by Cisco’s Ironport, and a network security business which is based around Sidewinder, a proxy-based firewall with a market share of less than 1%.

My prediction? Like a smart co-worker of mine says, in these situations physics does not apply and two rocks tied together sink faster than one.

This whole thing also got me thinking about proxies and their role in network security. If you think about it, proxies are not a natural choice when it comes to networking. They are slow, they add significant latency, and they break all applications for which they are not specifically designed to support. Proxies have traditionally supported very few applications due to the need to pretty much redevelop an entire application – both client and server – to support it. So why are proxies being positioned as a network security tool?

I have heard many reasons throughout the years why proxies are better than traditional packet-based firewalls. But the reality is that proxies have never dominated the security market, and proxy companies have generally not done very well. This includes TIS, which ended up being McAfee’s firewall, then got sold to Secure Computing, but is now returning back to McAfee (yes, my head is spinning just reading it). This also includes Secure Computing’s Sidewinder, Raptor (which was killed by Symantec), and other minor, irrelevant players you probably have not heard about.

At one point, TIS excused its proxy’s limited market acceptance by saying Check Point had a better GUI and was easier to manage. I have a different perspective: Proxies have failed because they are hard to use and not because they are hard to manage. Putting a proxy on the network puts unnecessary restrictions on the business, as to what the Internet can be used for. With a proxy, the business is limited to using only the applications that the proxy supports. Consequently, a proxy limits the business instead of enabling it!

Anyway, back to the arguments of why proxies are supposedly better than packet-based firewalls. All these arguments are centered on a single point – proxies are better than packet filtering firewalls because they are more secure. The evidence for this claim ranges from borderline ridiculous (such as that terminating a TCP connection and opening a new one while merely copying the data makes the connection more secure) to the more reasonable arguments (proxies perform protocol validation which can prevent some exploits against servers). This last argument is pretty much the only reasonable argument I have heard about why proxies are better than packet-based firewalls. Of course, all modern Intrusion Prevention Systems do the same without the drawbacks of a proxy thus rendering the need for a proxy questionable.

With all that said how come McAfee paid so much money for a proxy? And why is BlueCoat still selling a lot of their proxies? The answer IMHO (well, scrap the H) is that enterprises are facing a new security challenge that traditional packet-based firewalls cannot address. I have previously talked about this need in my blog – the need to control users and applications. Proxies can provide 20% of the solution, but that means 80% of applications cannot be controlled by a proxy (again, this places restrictions on the ability of a business to leverage the Internet). Even worse, there are also proxy-bypass applications out there that will run everything through a proxy. But even with these limitations, there are still some customers that continue using proxies because they feel an urgent need to control users and applications.

However, I am seeing a trend of enterprises trying to find a better solution for controlling applications than a proxy. Even BlueCoat recognizes this and is now moving from security towards application acceleration. This trend is a result of two things – awareness of how proxies can’t really control applications (proxy bypass programs, non port-80 applications, etc) and more importantly, more and more applications cannot work through a proxy. In the end, all of this exacerbates the need for a security solution that is genuinely effectively in controlling all users and applications.

Nir.