Scribd
Upload
433 views3 pages

Flow-Based Vs Proxy Scanning

Flow mode scanning provides lower latency than proxy scanning by scanning packets in-line without buffering or redirection. It can utilize hardware acceleration and scale well with increasing throughput. However, proxy scanning generally offers more robust features for antivirus, web filtering, DLP, and antispam through its ability to fully inspect and modify layer 7 traffic before forwarding. While flow mode has improved in detecting viruses and supporting SMB/CIFS, proxy mode still leads in areas like safe search, document fingerprinting, and replacement messages.

Uploaded by

vishwa svec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
433 views3 pages

Flow-Based Vs Proxy Scanning

Flow mode scanning provides lower latency than proxy scanning by scanning packets in-line without buffering or redirection. It can utilize hardware acceleration and scale well with increasing throughput. However, proxy scanning generally offers more robust features for antivirus, web filtering, DLP, and antispam through its ability to fully inspect and modify layer 7 traffic before forwarding. While flow mode has improved in detecting viruses and supporting SMB/CIFS, proxy mode still leads in areas like safe search, document fingerprinting, and replacement messages.

Uploaded by

vishwa svec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Flow Based vs Proxy Scanning

1. Proxy mode overview

Proxy mode relies on Layer 7 redirection. TCP packets must pass from the kernel in
software (slow) data path and bounce up and down between kernel and proxy daemons. At
the same time, proxy tends to buffer data for scanning which may cause latency to
increase.

The layer 7 data packet may need to redirect between different proxies to complete different
UTM features. For example, SSL proxy does traffic decryption and redirect decrypted traffic
to other proxies (HTTP, IMAP, POP3, etc) to do other work.

2. Flow mode overview

In Flow mode, network traffic is scanned in the means of raw IP packets. And traffic keeps
going during the scanning, so latency tends to be much lower than proxy. Also because of
flow modes apply to raw network packets, hardware acceleration can be utilized, such as
nTurbo, XG2/XH0 acceleration cards, etc.
!This mode does not rely on precious kernel resources. Instead, memory is the only limiting
factor. So it can scale very well the models. For example, when memory doubles from one
model to another, the throughput and concurrent connections follows.

All UTM features are applied in a single pass. A network packet goes through IPS engine
and all features are applied without duplicated scanning. That's why the throughput of a
single IPS feature is almost the same as IPS+AppCtrl+WCF.

3. Advantages of each technique

Performance-wise, Flow mode is the uncontested winner, because of its “flow” nature and
its ability to use hardware-acceleration (N-Turbo).

Feature-wise, Flow mode provides two unique features: IPS and Application Control.
But for other traditional UTM features, such as AV, Webfilter, DLP and Antispam, usually
Proxies provide a better feature set, because they can react on the full Layer7 data packet
and take action before the data is forwarded.
Internal
FORTINET

a. AntiVirus
In FOS 5.0, flow mode can only do checksum based AV scanning.

In FOS 5.2, flow modes also take advantage of the power AV engine for virus
scanning. So detection wise, it's almost the same as proxies. But due to the nature of
flow mode scanning, packets keep going, so there _might_ not be "replacement
messages". Indeed IPS engine remembers the infected URLs, so that subsequent
visits trigger "replacement messages" directly. It's not consistent as proxies are.

One advantage of flow mode is SMB/CIFS support. There is no support in transparent


proxies.

b. Webfilter
For web filtering, proxies and flow mode provide similar feature set. But for the "safe
search", proxies provide a far better solution. Flow engine does not alter the original
traffic, so what it can do is very limited. For proxies, the original traffic could be
manipulated anyway they can.

For example, HTTP proxy can add necessary HTTP headers so that "safe search" can
be enforced all the time. HTTP proxies also support features such as Google
Enterprise Service control by utilizing the traffic alternation advantage.

c. DLP
Proxies provide document fingerprinting, which is very powerful to match documents
for similarity. For flow mode, only simple pattern match (including regular expression)
and file type match are available.

d. AntiSpam
Similar as DLP, flow mode supports pattern match only. Proxies (POP3/IMAP/SMTP)
have a far more powerful AntiSpam engine which when coupled with FortiGuard
AntiSpam services can be very comprehensive.

Internal www.fortinet.com
FORTINET

4. Comparison Matrix

Proxy Flow v5.0 Flow v5.2


Hardware Acceleration
N-Turbo No Yes Yes
Antivirus
Latency High Low Low
Checksum detection Yes Yes Yes
Pattern recognition
Yes No Yes
(Polymorph, Heuristic)
SMB/CIFS No Yes Yes
Replacement message Yes No (*) No (*)
IPS + AppCtrl
No Yes Yes
Webfilter
Categories Yes Yes Yes
Safe-search Yes No No
Return block page Yes Yes Yes
DLP
Fingerprints Yes No No
Pattern match Yes Yes Yes
Antispam
Fortiguard AS Yes No No
Pattern match Yes Yes Yes

* Replacement messages will not be sent on a consistent basis. See 3.a for details.

Internal www.fortinet.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy