Show 122 – Mission Impossible: Blast Radius, Part 2

In this “part 2″ podcast (show 119 was part 1), co-hosts Ethan Banks and Greg Ferro are joined by Tom Hollingsworth, Tony Bourke, Kurt Bales, Ivan Pepelnjak and Michele Chubirka aka Mrs. Y. As the show continues, we ramble on about the following:

What We Discuss

  • The future of WAN acceleration. Greg was writing this report and started to read up on some things, and then there were all these opinions…you know how it goes on this show.
  • Check Point’s not feeling the love from this crew. Perhaps a little warmth…the amount of heat you’d feel from a match struck six feet away. But then the discussion morphs into firewalls in general, where the heartfelt admiration of those chattering into their microphones is still really hard to find.
  • The security ramble continues into firewall management platforms, followed up by just how we should be securing virtualized environments.
  • Closing it out are some bits about overlay networks and how they are impacting data center design.

Fun show to record – we hope you enjoy!

Ethan Banks
Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 3M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks
Ethan Banks
Ethan Banks
  • Dan Shechter

    A great continuation to a great show.

    Here are my comments:

    I think that the checkpoint bashing is not rightful. I have worked with several firewalls vendors (Checkpoint, Cisco, Fortigate, OpenBSD PF, linux iptable), and IMHO Checkpoint is still leading the group.

    There are two parts in every firewall:
    1. System configuration (interface/device admin/networking)
    2. Policy

    IMHO, the Policy part is seconds to none. On the outside, one might think that nothing changed in the GUI, but over the years there were many many improvements. And they were always years ahead of any other vendor.

    Regarding the System, right until now, you had to be a system admin to run checkpoint. No CLI. Some parts are menu based, other parts are unix like commands. And here is a little secret: A person with no system admin background can’t do security. A pure networking guy does not have the deep enough understanding of how systems and application works.

    But now, they have fully functional CLI, which makes them much easier for the average network admin to install and operate.

    I think that a show about all firewalls is long due.
    Virtual Appliances

    The consequence of security virtual appliances, which are loading modules into the hypervisor kernel, is that all packets go through the module. Even if you have “permit/bypass any any” as a policy, all packets go through the module.

    Do we really want this to happen? Can we troubleshoot it? Does it worth it? What about non virtual server?

    Do we what to couple our virtualization_vendor/version/others_appliances_modules with our security solutions?

    I think that for most implementations, non hypervisor modules appliances, be virtual or physical, makes more sense and are easier to troubleshoot and operate.