Wednesday, September 28, 2005

Sidewinder and Squid and Selecting an application proxy firewall

On 9/27/05, jrdld2 wrote:

A month or two back I heard that SC were planning to drop squid. For myself, I'd rather they wouldn't.

Secure sent the official EOL notice for Squid in late August, I have faint hope they will change their mind.

Squid support in Sidewinder has always been marginal at best, and the functionality of the Squid proxy is crippled by TE. For example, cache_peer queries fail because the packet cannot be sent, triggering a TE event in the G2 audit log.

Worse yet, Sidewinder has been perpetually stuck on 2.4.STABLE6, not exactly the best vintage of Squid :)

The HTTP proxy logging is very poor by comparison,

In my personal opinion, G2's HTTP proxy logging is very poor by comparison to a "Speak & Spell" with leaky alkaline batteries not changed since 1978.

and traffic seems to be slower.

That is an interesting observation -- Going from Gauntlet 6.0's http-pdk to Squid, I've had a few users make the opposite claim, that traffic seems to be slower under Squid than under a non-caching HTTP "application proxy" such as Gauntlet.

I do know that if you are trying to do any access control based on the destination domain (without paying for a SmartFilter license), Sidewinder's request processing can be massively degraded, whereas Squid can handle literally hundreds of destination pattern match ACLs with little or no performance loss.

Squid also has some functionality which is useful in our own particular setting.

Ditto here. One of the biggest issues we have (an issue of which Secure is well aware) is the lack of support for ftp-over-http in the current Sidewinder HTTP proxy. We worked with TIS and NAI for years to get this feature working correctly in Gauntlet.

Additionally, we have a relatively large cache hierarchy deployed with a mix of commercial and freeware caches interconnected with ICP, and are faced with tearing down the entire infrastructure because SCC, our sole corporate-standard proxy firewall vendor, cannot (will not) support the ICP protocol, and is dropping what limited Squid support they have today. This hurts, this makes me feel that I may have been remiss in recommending a move to Sidewinder G2 when we were forced to migrate off of the (stable as a rock) Gauntlet product.

I made this recommendation based in a large part on the understanding that the best features of Gauntlet would be incorporated into Sidewinder.
I guess "best features" was code for "as much of the customer base as we can retain (by any means necessary)."

Live and learn.

Are there any others out there who would like to see squid stay?