On Tue, Feb 13, 2001 at 05:20:59PM +0800, luke wrote:
hi, everybody: Recently, I use TIS(http://www.tis.com/research/software/) as http,ftp,telnet proxy. I integrated TIS with ipchains, squid,FreeS/WAN packages in Red Hat Linux. But it seem to become the system performance bottleneck. May I ask that zorp is a good replacement for TIS in performance and capability ?
You ask two different questions, let me answer them in order: 1) capabilities Zorp is a modular firewall, which means that its architecture allows each proxy to use another proxy to analyze a subprotocol embedded in the main protocol stream. Think of POP3 or IMAP embedded in SSL. An upper level proxy (SSL in our case) decrypts traffic as it passes the firewall, and runs an embedded POP3 proxy to make sure that nothing else but POP3 is allowed on the encrypted channel. Another example would be a content verifier proxy, which gets a raw file with some meta information (like filename, mime type etc.) and after verifying its contents (with virus scanners, prohibited words etc) and plugs into a HTTP or FTP proxy. Apart from the modularity, Zorp is also event driven. You can react on events the protocol proxy raises, and tell the proxy what to do. For example you only want to allow anonymous only FTP traffic, you override the USER event the FTP proxy generates, check that the username is acceptable (anonymous or ftp) and return the result of your check, the proxy will behave accordingly. The language you write these checks is Python, that's why Python is required for Zorp. (the proxies themselves are written in C) Currently we have application level gateways for the following protocols: Free version: ------------- HTTP/1.1 (keep-alive and chunked encoding fully supported) FTP finger SSL plug Commercial version: ------------------- Enhanced SSL POP3 This list is continously growing. The free version is available under the GPL, the commercial version is available under a binary only license. Our proxies were written in security in mind, we analyze each part of the protocol as deeply as possible. An FTP proxy would work with processing only the PORT and PASV commands, our FTP proxy strictly checks the allowable return codes for each command. Our finger proxy checks the username to contain only alphanumeric characters. We integrate ipchains nicely into Zorp, we are able to add/remove rules from the packet filter on the fly (enabling a service on Zorp, adds the corresponging filter rule), this is achieved by directly calling system calls, not by calling the ipchains program externally. 2) stability you didn't ask about stability, but if you are planning to replace an existing system, you really WANT stability. Zorp is used at quite a number of places, and both our stable branch (0.6.x) and the latest releases of the development branch seems to be stable. The development branch is under feature freeze now, 0.8 will be released real soon now. 3) performance It was a while ago when we tested Zorp performance. Using plug I could achieve about 17Mbytes/sec on a Celeron450 workstation with IDE disks and 128MB RAM. The test was to copy a large amounts of data (100Mbytes as I remember) from /dev/zero into /dev/null through Zorp on a single computer. So the load of the client, proxy and server was placed on a single computer, this theoretically means that Zorp could do about 50Mbytes/sec throughput (assuming that the client and the server runs elsewhere). We are running Zorp with 100 concurrent sessions without problems. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1