Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 27 Nov 2007 19:23:02 -0500
Anton Chuvakin wrote:
This adds some fun fuel to this fire: http://rationalsecurity.typepad.com/blog/2007/11/take5-episode-7.html
I see buzzwords and marketing a-plenty in that interview. :) WTF is "application-centric classification"?? That's what any decent firewall has done since the beginning. And Zuk's implicit claim in his first paragraph (that CheckPoint did what they did because "current firewalls were ineffective") is disingenous at worst and bullshit at best. Note how he's careful to position CheckPoint against routers+ACLs, not against any of the actual layer-7 firewalls that were dominating the market at the time. CheckPoint won because they were fast and the market was ignorant, not because they were more "effective" - in fact, quite the opposite, they were (and are) vastly less "effective" and are superior to a router+ACL primarily in the user interface department and because they handled FTP without requiring high port callbacks. Remember - circa 1994, high port callbacks to enable FTP, was the raison d'etre for a "stateful" firewall instead of just a router+ACLs.
"I think that a more important trend in network security today is the move from port-centric to application-centric classification technologies.
I see lips moving but I don't actually see anything here that is not just buzzblah blah foo marketing blah marketing foo buzz blah. What does all that MEAN? Any security practitioner that has not been Rip Van Winkleing for the last decade knows that application layer is where the action is right now. Is he jumping onto a 10 year old bandwagon and yelling "LOOK! A BANDWAGON!" or what?
This will make most of the existing products obsolete, similar to the way stateful inspection has made its predecessors disappear from the world."
If what he's saying is that "everything tunnelling over port 80 hurts" well - Duh? The reason stateful inspection made its predecessors disappear is not because it was better, but rather because it was WORSE but its customers like the blah blah foo foo marketing buzz blah foo stuff that Nir spews better than they like actually understanding what the expensive doo-dad they bought actually does. Hey Anton? Did you actually read that article?? I am asking you this seriously. Because I just read it twice and the only words that I could find in what Nir was saying that's not pretty much 100% unadulterated marketing bullshit is the words: "network" "is" "the" mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 27)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 29)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 29)
- Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 30)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 30)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 27)
- Message not available
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
- Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
- Re: Firewalls that generate new packets.. jason (Nov 27)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
- Re: Firewalls that generate new packets.. Darren Reed (Nov 28)