Re: [fw-wiz] Firewalls that generate new packets..



I see buzzwords and marketing a-plenty in that interview. :)

Very true! But there is also some substance, which I thought would
make a fun addition to this discussion.

WTF is "application-centric classification"?? That's what any
decent firewall has done since the beginning.

Ehhh, maybe not. I think he (well, his device :-)) implies that he can
quickly look at traffic flowing to the same port and then make an
access control decision based on the detected application type (e.g.
email or IM over HTTP is bad while web surfing over HTTP is OK) and
not just on port (e.g. TCP 25 is bad, but - OMG! - TCP 80 is OK)

Proxies (the ones I've seen, at least) can do decisions like "not
normal HTTP? -> good bye connection" but not 'allow YIM over HTTP, but
not AIM over HTTP'

And Zuk's implicit
claim in his first paragraph (that CheckPoint did what they did
because "current firewalls were ineffective") is disingenous

Yes, this one was a shocker to me too :-)

What does all that MEAN?

The above is what I got from it.

If what he's saying is that "everything tunnelling over port 80 hurts"
well - Duh?

Well, yes, actually. But he seems to also add that he can now make
decisions quickly about what specific content of TCP 80 is OK and
which is not based on app/usage, which is kinda cool.

Hey Anton? Did you actually read that article?? I am asking you
this seriously. Because I just read it twice and the only words

Well, I did point some substance above; other pieces that I thought
were interesting:
- "Once the application is identified, it needs to be controlled and
secured, both of which require much deeper inspection into the
information itself. Note that simply blocking the application is not
enough - applications need to be controlled - some are always allowed,
some are always blocked but most require granular policy."

This points at something more interesting that "bad app protocol ->
kill it." If you can actually make sense and then make access ctl
decisions about all the TCP 80 mess, I think this would be pretty
cool, useful and new.

- "a client-facing, forward proxy that inspects outbound traffic"

This to me sounds pretty interesting as well: his device's primary
purpose is not to protect the inside for them Evil Outside (tm) :-)
but to audit and control what gets out and in what shape or form with
a degree of details which is possible-but-very-hard to achieve with
other means.

Finally, I think that by being suspended in whitespace :-) between
tech and marketing realms for a few years, I developed a
'spider-sense' of deciphering what people actually mean by their
marketing. It is not ALL BS, you know :-)

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Blocking Access to web-based email
    ... the way I do it is with one Firewall appliance and different HTTP ... you setup DHCP with reservations for their MAC and their IP is ... But you don't want the NAT device assigning the IP, ...
    (comp.security.firewalls)
  • Re: I need a decent firewall
    ... >> and neither will let me have the control I need. ... I need a firewall that will ... > (This site has two parts: Sygate Basics and Sygate Basics ... but I am really suspicious of any kind of security ...
    (comp.security.firewalls)
  • Re: ISA 2000 Firewall Log
    ... > application requires internet access for whatever reason on a port other ... The firewall log entries appears because the traffic from the snat clients ... rejected by HTTP redirector filter should appear in firewall logs and how do ... MS ISA Server 2000 Firewall and Web Proxy log fields: ...
    (microsoft.public.isa)
  • Re: H.D. content visible on web
    ... > And this seems to be happening even with AV and software firewall on ... > come to my Website. ... You sent an HTTP request and received ...
    (comp.security.firewalls)