Re: Firewalls that generate new packets..

["Marcus J. Ranum" <mjr () ranum com>]

Anton Chuvakin wrote:
> This adds some fun fuel to this fire:
> http://rationalsecurity.typepad.com/blog/2007/11/take5-episode-7.html

I see buzzwords and marketing a-plenty in that interview. :)

WTF is "application-centric classification"?? That's what any
decent firewall has done since the beginning. And Zuk's implicit
claim in his first paragraph (that CheckPoint did what they did
because "current firewalls were ineffective") is disingenous
at worst and bullshit at best. Note how he's careful to position
CheckPoint against routers+ACLs, not against any of the
actual layer-7 firewalls that were dominating the market at the
time. CheckPoint won because they were fast and the market
was ignorant, not because they were more "effective" - in fact,
quite the opposite, they were (and are) vastly less "effective"
and are superior to a router+ACL primarily in the user interface
department and because they handled FTP without requiring
high port callbacks. Remember - circa 1994, high port callbacks
to enable FTP, was the raison d'etre for a "stateful" firewall
instead of just a router+ACLs.


> "I think that a more important trend in network security today is the
> move from port-centric to application-centric classification
> technologies.

I see lips moving but I don't actually see anything here that is
not just buzzblah blah foo marketing blah marketing foo buzz blah.

What does all that MEAN?

Any security practitioner that has not been Rip Van Winkleing
for the last decade knows that application layer is where the
action is right now. Is he jumping onto a 10 year old bandwagon
and yelling "LOOK! A BANDWAGON!" or what?

> This will make most of the existing products obsolete,
> similar to the way stateful inspection has made its predecessors
> disappear from the world."

If what he's saying is that "everything tunnelling over port 80 hurts"
well - Duh?

The reason stateful inspection made its predecessors disappear
is not because it was better, but rather because it was WORSE
but its customers like the blah blah foo foo marketing buzz blah
foo stuff that Nir spews better than they like actually understanding
what the expensive doo-dad they bought actually does.

Hey Anton? Did you actually read that article?? I am asking you
this seriously. Because I just read it twice and the only words
that I could find in what Nir was saying that's not pretty much
100% unadulterated marketing bullshit is the words:
"network"
"is"
"the"

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards