Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls that generate new packets..

From: "Anton Chuvakin" <anton () chuvakin org>
Date: Wed, 28 Nov 2007 10:04:48 -0800
I see buzzwords and marketing a-plenty in that interview. :)


Very true! But there is also some substance, which I thought would
make a fun addition to this discussion.


WTF is "application-centric classification"?? That's what any
decent firewall has done since the beginning.


Ehhh, maybe not. I think he (well, his device :-)) implies that he can
quickly look at traffic flowing to the same port and then make an
access control decision based on the detected application type (e.g.
email or IM over HTTP is bad while web surfing over HTTP is OK) and
not just on port (e.g. TCP 25 is bad, but - OMG! - TCP 80 is OK)

Proxies (the ones I've seen, at least) can do decisions like "not
normal HTTP? -> good bye connection" but not 'allow YIM over HTTP, but
not AIM over HTTP'


And Zuk's implicit
claim in his first paragraph (that CheckPoint did what they did
because "current firewalls were ineffective") is disingenous


Yes, this one was a shocker to me too :-)


What does all that MEAN?


The above is what I got from it.


If what he's saying is that "everything tunnelling over port 80 hurts"
well - Duh?


Well, yes, actually. But he seems to also add that he can now make
decisions quickly about what specific content of TCP 80 is OK and
which is not based on app/usage, which is kinda cool.


Hey Anton? Did you actually read that article?? I am asking you
this seriously. Because I just read it twice and the only words


Well, I did point some substance above; other pieces that I thought
were interesting:
- "Once the application is identified, it needs to be controlled and
secured, both of which require much deeper inspection into the
information itself. Note that simply blocking the application is not
enough - applications need to be controlled - some are always allowed,
some are always blocked but most require granular policy."

This points at something more interesting that "bad app protocol ->
kill it." If you can actually make sense and then make access ctl
decisions about all the TCP 80 mess,  I think this would be pretty
cool, useful and new.

- "a client-facing, forward proxy that inspects outbound traffic"

This to me sounds pretty interesting as well: his device's primary
purpose is not to protect the inside for them Evil Outside (tm) :-)
but to audit and  control what gets out and in what shape or form with
a degree of details which is possible-but-very-hard to achieve with
other means.

Finally, I think that by being suspended in whitespace :-) between
tech and marketing realms for a few years, I developed a
'spider-sense' of deciphering what people actually mean by their
marketing. It is not ALL BS, you know :-)

Best,
-- 
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
      http://www.chuvakin.org
  http://chuvakin.blogspot.com
    http://www.info-secure.org
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: