This is a discussion on Re: [fw-wiz] Firewalls that generate new packets.. - Firewalls ; > I see buzzwords and marketing a-plenty in that interview. Very true! But there is also some substance, which I thought would make a fun addition to this discussion. > WTF is "application-centric classification"?? That's what any > decent firewall ...
> I see buzzwords and marketing a-plenty in that interview.
Very true! But there is also some substance, which I thought would
make a fun addition to this discussion.
> WTF is "application-centric classification"?? That's what any
> decent firewall has done since the beginning.
Ehhh, maybe not. I think he (well, his device :-)) implies that he can
quickly look at traffic flowing to the same port and then make an
access control decision based on the detected application type (e.g.
email or IM over HTTP is bad while web surfing over HTTP is OK) and
not just on port (e.g. TCP 25 is bad, but - OMG! - TCP 80 is OK)
Proxies (the ones I've seen, at least) can do decisions like "not
normal HTTP? -> good bye connection" but not 'allow YIM over HTTP, but
not AIM over HTTP'
>And Zuk's implicit
> claim in his first paragraph (that CheckPoint did what they did
> because "current firewalls were ineffective") is disingenous
Yes, this one was a shocker to me too :-)
> What does all that MEAN?
The above is what I got from it.
> If what he's saying is that "everything tunnelling over port 80 hurts"
> well - Duh?
Well, yes, actually. But he seems to also add that he can now make
decisions quickly about what specific content of TCP 80 is OK and
which is not based on app/usage, which is kinda cool.
> Hey Anton? Did you actually read that article?? I am asking you
> this seriously. Because I just read it twice and the only words
Well, I did point some substance above; other pieces that I thought
- "Once the application is identified, it needs to be controlled and
secured, both of which require much deeper inspection into the
information itself. Note that simply blocking the application is not
enough - applications need to be controlled - some are always allowed,
some are always blocked but most require granular policy."
This points at something more interesting that "bad app protocol ->
kill it." If you can actually make sense and then make access ctl
decisions about all the TCP 80 mess, I think this would be pretty
cool, useful and new.
- "a client-facing, forward proxy that inspects outbound traffic"
This to me sounds pretty interesting as well: his device's primary
purpose is not to protect the inside for them Evil Outside (tm) :-)
but to audit and control what gets out and in what shape or form with
a degree of details which is possible-but-very-hard to achieve with
Finally, I think that by being suspended in whitespace :-) between
tech and marketing realms for a few years, I developed a
'spider-sense' of deciphering what people actually mean by their
marketing. It is not ALL BS, you know :-)
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
firewall-wizards mailing list