[zorp] zorp vs. TIS

Balazs Scheidler bazsi@balabit.hu
Tue, 13 Feb 2001 11:25:58 +0100


On Tue, Feb 13, 2001 at 05:20:59PM +0800, luke wrote:
>    hi, everybody:
>         Recently, I use TIS(http://www.tis.com/research/software/) as
> http,ftp,telnet proxy.
>         I integrated TIS with ipchains, squid,FreeS/WAN packages in Red Hat
> Linux.
>         But it seem to become the system performance bottleneck.
>         May I ask that zorp is a good replacement for TIS in performance and
> capability ?

You ask two different questions, let me answer them in order:

1) capabilities

Zorp is a modular firewall, which means that its architecture allows each
proxy to use another proxy to analyze a subprotocol embedded in the main
protocol stream. Think of POP3 or IMAP embedded in SSL. An upper level proxy
(SSL in our case) decrypts traffic as it passes the firewall, and
runs an embedded POP3 proxy to make sure that nothing else but POP3 is
allowed on the encrypted channel. Another example would be a content
verifier proxy, which gets a raw file with some meta information (like
filename, mime type etc.) and after verifying its contents (with virus
scanners, prohibited words etc) and plugs into a HTTP or FTP proxy.

Apart from the modularity, Zorp is also event driven. You can react on
events the protocol proxy raises, and tell the proxy what to do. For example
you only want to allow anonymous only FTP traffic, you override the USER
event the FTP proxy generates, check that the username is acceptable
(anonymous or ftp) and return the result of your check, the proxy will
behave accordingly. The language you write these checks is Python, that's
why Python is required for Zorp. (the proxies themselves are written in C)

Currently we have application level gateways for the following protocols:

Free version:
-------------
HTTP/1.1 (keep-alive and chunked encoding fully supported)
FTP
finger
SSL
plug

Commercial version:
-------------------
Enhanced SSL
POP3

This list is continously growing. The free version is available under the
GPL, the commercial version is available under a binary only license.

Our proxies were written in security in mind, we analyze each part of
the protocol as deeply as possible. An FTP proxy would work with processing
only the PORT and PASV commands, our FTP proxy strictly checks the allowable
return codes for each command. Our finger proxy checks the username to
contain only alphanumeric characters.

We integrate ipchains nicely into Zorp, we are able to add/remove rules from
the packet filter on the fly (enabling a service on Zorp, adds the
corresponging filter rule), this is achieved by directly calling system
calls, not by calling the ipchains program externally.

2) stability

you didn't ask about stability, but if you are planning to replace an
existing system, you really WANT stability. Zorp is used at quite a number
of places, and both our stable branch (0.6.x) and the latest releases of the
development branch seems to be stable. The development branch is under
feature freeze now, 0.8 will be released real soon now.

3) performance

It was a while ago when we tested Zorp performance. Using plug I could
achieve about 17Mbytes/sec on a Celeron450 workstation with IDE disks and
128MB RAM. The test was to copy a large amounts of data (100Mbytes as I
remember) from /dev/zero into /dev/null through Zorp on a single computer.
So the load of the client, proxy and server was placed on a single computer,
this theoretically means that Zorp could do about 50Mbytes/sec throughput
(assuming that the client and the server runs elsewhere).

We are running Zorp with 100 concurrent sessions without problems.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1