Feb 16 2009

Nir Zuk responds to firewall discussion with Stiennon

Published by at 7:19 am under General

Nir Zuk, founder and CTO of Palo Alto Networks, responded via video to the conversation Richard Stiennon, Mike Murray, Amrit Williams and I had about firewalls for Demos on Demand.  He’s got a good point, that without added intellegence, once you open one port on the firewall, it’s functionally the same as a network cable.  Many applications are capable of proxying through ports 80 and 443 without any modification, so much of the filtering capabilities of an old-school firewall are rendered moot.  Not that many of firewalls are just firewalls any more, but that may be part of his point.

Nir Zuk’s response to the Firewall Conversation

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Nir Zuk responds to firewall discussion with Stiennon”

  1. Adrian Boolon 17 Feb 2009 at 3:24 am

    Humorous, but not fair on firewalls I feel. The firewall is only reduced to a cable if neither of the systems on either side of the firewall are under the control of organisation owning the firewall.

    A firewall placed before a web server, for example, reduces the attack surface of that server to your nominated ports (e.g. 80 & 443). Of course, the web server daemon listening on these ports could still be exploited from outside – however the firewall provides useful service in preventing access to other ports (e.g. 445) hence rendering any vulnerabilities on these ports unexploitable from outside – something your $2 cable doesn’t do.

    Of course a firewall providing a limited ports from a workstation under a user’s control to say the Internet is of very limited real value…

  2. […] Nir Zuk responds to firewall discussion with Stiennon – Martin McKeay I believe I posted a link last week to the video to the discussion, if not, it can be found in today’s article. […]

  3. SCon 04 May 2009 at 4:30 am

    Not fair is an understatement.
    Traditional firewalls provides more than just the basic functionality described.
    In addition to blocking ports and looking at the direction of the connection (verifing the connection originated and ended up as defined). but even the most basic firewalls today handles NAT, VPN (peer2peer & client2peer), Anti spoofing and sometimes flooding attacks, etc…
    Most of them also have ALG within which allow inspecting packets content for specific applications (Like FTP – it’s required for locating ports for data connection ,etc…).

    So traditional firewall is far from being a cable.

    But, I agree that traditional firewall is not enough and monitoring the applications & users can add a very NICE layer of security – just like Palo-Alto, Cyberoam & most of the IPS that exists to day.
    But even Palo-Alto cannot grantee security no matter what they do, most of the attacks (even over HTTP/HTTPS) will look like a normal regular web applications – this is where the IPS comes to the picture and looks for attack signatures – which can be bypassed as well (when crafting a hidden attack that will not be recognized).

    So, Nir – this is the question: Why do you believe Palo-Alto provides a better security than most IPS & Firewalls (ignoring the fact that users & applications are recognized – which is NICE but not really unique).

%d bloggers like this: