Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Anton Chuvakin" <anton () chuvakin org>
Date: Wed, 28 Nov 2007 10:04:48 -0800
I see buzzwords and marketing a-plenty in that interview. :)
Very true! But there is also some substance, which I thought would make a fun addition to this discussion.
WTF is "application-centric classification"?? That's what any decent firewall has done since the beginning.
Ehhh, maybe not. I think he (well, his device :-)) implies that he can quickly look at traffic flowing to the same port and then make an access control decision based on the detected application type (e.g. email or IM over HTTP is bad while web surfing over HTTP is OK) and not just on port (e.g. TCP 25 is bad, but - OMG! - TCP 80 is OK) Proxies (the ones I've seen, at least) can do decisions like "not normal HTTP? -> good bye connection" but not 'allow YIM over HTTP, but not AIM over HTTP'
And Zuk's implicit claim in his first paragraph (that CheckPoint did what they did because "current firewalls were ineffective") is disingenous
Yes, this one was a shocker to me too :-)
What does all that MEAN?
The above is what I got from it.
If what he's saying is that "everything tunnelling over port 80 hurts" well - Duh?
Well, yes, actually. But he seems to also add that he can now make decisions quickly about what specific content of TCP 80 is OK and which is not based on app/usage, which is kinda cool.
Hey Anton? Did you actually read that article?? I am asking you this seriously. Because I just read it twice and the only words
Well, I did point some substance above; other pieces that I thought were interesting: - "Once the application is identified, it needs to be controlled and secured, both of which require much deeper inspection into the information itself. Note that simply blocking the application is not enough - applications need to be controlled - some are always allowed, some are always blocked but most require granular policy." This points at something more interesting that "bad app protocol -> kill it." If you can actually make sense and then make access ctl decisions about all the TCP 80 mess, I think this would be pretty cool, useful and new. - "a client-facing, forward proxy that inspects outbound traffic" This to me sounds pretty interesting as well: his device's primary purpose is not to protect the inside for them Evil Outside (tm) :-) but to audit and control what gets out and in what shape or form with a degree of details which is possible-but-very-hard to achieve with other means. Finally, I think that by being suspended in whitespace :-) between tech and marketing realms for a few years, I developed a 'spider-sense' of deciphering what people actually mean by their marketing. It is not ALL BS, you know :-) Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 27)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
- Re: Firewalls that generate new packets.. jason (Nov 27)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 29)