Firewalls Are Friends

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
This is the Art of Network Engineering, where
technology meets the human sideof IT.
Whether you're scaling networks, solving problems or shaping
your career, we've got theinsights, stories and tips to
keep you ahead in theever-evolving world of
networking.
Welcome to the Art of NetworkEngineering podcast.
My name is Andy Laptev.
In this episode we have a newface, matt.

(00:21):
Hmm, I should have figured thisout ahead of time.

Speaker 2 (00:24):
I'll let you try.
Nailed it First try.

Speaker 1 (00:29):
Matt, how are you Welcome to the show Quickly?
Do you want to tell folks whereyou work?
What do you do?

Speaker 2 (00:33):
My name is Matt Lushner.
I'm Cisco Solutions Engineer.
I've been there for five years.
I do data center networkingautomation.
I actually just did a CiscoLive presentation on CML and I
do a lot of random commentcontent on that on a day-to-day
basis, just because it's areally good tool.
I just like talking about itand showing people some of the

(00:54):
cool things they can do.

Speaker 1 (00:54):
Labbing.
I love labbing, can you it'sthe easy life man.
Can you lab anything abovelayer three Hint, hint
foreshadow you.
Above layer three?

Speaker 2 (01:03):
hint, hint foreshadow you definitely can lab some
things above layer three and infact with the most recent
release of Cisco Modeling Labsyou can do the ASA but also
Cisco's next generation securefirewall.
So you can get the GUI andstart figuring out how to do
firewalls with the GUI.

Speaker 1 (01:21):
Awesome, matt, thank you so much for joining us.
And Jeff Clark, returningprevious guest contributor, I
think we're going with.
Sounds good, all around, greatguy who likes to help me out and
hang out.
Jeff, how you doing buddy?
How are things?

Speaker 3 (01:33):
Doing good.
Nothing like, nothing more thanhearing myself talk.
So it's great.
Perfect on a Thursday night.

Speaker 1 (01:40):
Three nerds who love to hear themselves talk.
What better panel for a podcast?

Speaker 3 (01:44):
right.

Speaker 1 (01:44):
Exactly.
If you didn't like to talk,it'd be a really boring show for
everybody.
Jeff, where do you work?

Speaker 3 (01:48):
I work over at Fortinet as an SE.
Over there my main focus isnetwork security, mostly in the
firewall, SD-WAN side of things.

Speaker 1 (02:05):
I'm the odd guy out.
I am not an SE, I've never beenan SE, I was almost an SE.
So in this episode I thoughtit'd be cool to talk about
firewalls.
We have never done an episodein 160 something episodes about
firewalls, network engineering.
My experience in my career andin my studying and my certs for
15 years has gone to layer threeand stopped Right, and from
people I talk to I guess itdepends on the environment you
work in my buddy, kevin, whoused to be on the show we
started out.
I feel like you start out innetwork engineering Like does
anybody just start in firewalls,right?

(02:25):
Like you kind of have to learnthe network.
I was even talking about yourcareer, jeff, with Matt before
we started and like you're anetwork engineer with me and
then you wanted to get intosecurity and firewalls.
You had to go get that job andto get to a vendor and stuff.
So there seems to be aprogression almost up the OSI
layers, at least for me, right.
I started in physical as acable guy and then logical on
the knock and yada, yada, yada.
So I don't know much aboutfirewalls and I don't know if

(02:49):
other network engineers outthere are in the same boat, but
I just thought we could have ahigh level discussion.
You're two security guys Jeff,you work at a security company,
matt ton of experience withfirewalls and production and I
have none, so I'm hoping youguys can kind of educate me and
anybody else along for the rideon all things.
Firewall, firewall 101, that thetitle of the live stream was

(03:10):
like firewalls are friends,right, like it reminded me of
Nemo.
Like fish are friends, not food.
Like firewalls are our friends.
So let's start like really highlevel.
Why do we need firewalls in ourenvironments?
Why is all the filtering we do,up to and including layer three
, not enough?
What do firewalls give us froma security posture or just in
general?
So let's start there.
Why do we need firewalls in ournetworks?

(03:31):
I?

Speaker 3 (03:31):
don't know if you want to take this matter you
want me to run with it but Iguess I would look at it the
same way as why do you havelocks on your door right?
Why do you have it?
Why?

Speaker 1 (03:39):
do you lock?

Speaker 3 (03:40):
your car at night?
Why, jeff?

Speaker 1 (03:41):
I have acls and prefix lists and route maps.
You can't get into my network.
I have filtered it at layerthree.

Speaker 2 (03:46):
And I have Mac filtering at layer two.

Speaker 1 (03:49):
So I hear what you're saying, right, but I have locks
on my doors, I think Maybe Idon't.
What does a firewall preventthat?
Routers and switches and allthe security embedded in them.
We are taught security from dayone in networking, right.

Speaker 3 (04:03):
So the big difference between what you're talking
about and when you say firewall.
When you talk firewalls, you'reprobably thinking more along
the lines of the older, likeASAs.
Talk about Cisco, the old ASAs,when they were brand new.
They were maybe layer fourfirewalls where you were
blocking stuff and you have port22,.
Or you're blocking port 23because you didn't want to allow
it to tell me, or whatever.

Speaker 1 (04:29):
I've watched buddies configure, like pal is an
example, right, so they setzones and then they have rules
and then what thing is in whatzone and what can connect to
what?
That I think that's layer four,but there's a lot of other like
the next gen stuff, likethere's other things happening,
right, like.
So I don't want to get too farahead.
I think you're going to likelayer seven stuff, right, right
and application aware and allthat.
But let's, if we could startslow.
If we could start slow there atlayer four.
Is that just what we're doingis like we're setting zones and

(04:50):
then we're creating rules onwhat can talk to what is that
kind of the basics offirewalling, or no?

Speaker 3 (04:56):
that's like saying isn't the basics of routing just
you just build these staticroutes and you're done, and then
everybody just goes where theywant.
Well, my only context iswatching, Right, Totally.

Speaker 1 (05:04):
Totally.
My only context is watchingsomebody, like we were trying to
migrate from one environment toanother at a job I had and it
was failing.
The customer testing wasfailing because the firewall
wasn't configured right.
So I was and he's like oh, Ididn't have their 13 subnets
that they're using in the rules,now they are Bing.
So Now they are Bing.
So that is very simple, butthat's what I saw.

Speaker 3 (05:23):
So the other thing to think about with firewalls.
A lot of time, at least from anetwork engineer perspective.
Before I started working in thefirewall world, before I
started working in security, Itended to think of firewalls as
kind of on the edge right.
That's what keeps you fromgetting into my network that
world has.
It's not.
That is still a very importantpart of a firewall, but more and
more what we're seeing issecurity inside of our networks,

(05:47):
because if you look at the vastmajority of vulnerabilities,
you look at the vast majority ofhacks that are happening.
They're not people that arecoming in from the outside.
They're people that have gotsomething on the inside of your
network already that areallowing you to kind of move
laterally across the network.
A good example there was acasino.

(06:07):
This was not a customer of oursor anything like that, it's
just a story that you can lookup in the news.
There was a casino a few yearsago that had a ransomware attack
and they were hacked becausesomeone in the facilities said
what we could do for this hugesaltwater fish tank we have is
we could put in a smarttemperature sensor.

Speaker 1 (06:22):
I was hoping this was the one you were going to
reference, this huge saltwaterfish tank we have is we can put
in a smart temperature sensor asmart, I was hoping this was the
one you were going to reference.

Speaker 3 (06:27):
It's everybody's favorite right and what's great
about the story, though, is it'sit's such an absolutely simple,
benign, basic thing.
Of course it's not a big deal.
This is just going to monitorthe temperature.
You can let me know.
I can check the salinity of thewater.
I don't know anything aboutthing about fish tanks.

Speaker 1 (06:42):
So I'm not making stuff up.
You're doing great.
But they probably left thedefault credentials on which a
port scanner picked up, and thenthey used the default creds and
got in.

Speaker 3 (06:49):
Even if it wasn't, even if it wasn't the default
credentials.
Most of those IOT things you'reout of things type of devices
they're not patched regularly.
There's all sorts ofvulnerabilities on them.
So what security has reallybecome is not just protecting
your network from the outside in, it's protecting that smart
thermostat that you have frombeing able to talk to your

(07:10):
servers.
It's about where networking andsecurity comes in is we're
still using some of the samesegmentation that we've done.
We're using VLAN, so obviouslywe're functioning at layer three
there.

Speaker 1 (07:21):
We can even do security at layer two on a lot
of devices, so you're going wayfaster than I was hoping to, but
that's and I'd like to get sofor a couple of minutes.
I just want to jump back to theedge perimeter kind of.
I think if we walk throughhistorically, if we jump right
into like, well, we've got anapplication, aware, and we're
inside out and they're like solet's let for people like me who
read that article but don'tknow much else about it but why

(07:46):
do we need firewalls at the edge?
When you say the edge, are youtalking about where the internet
connects?
Do we need them where MPLScomes in?
Because one of the questions Ihad for you guys, even as
placement, let's go back fiveyears before IoT and the attack
surface became everywhere, andlet's just go back five years to
like, okay, it's at the edge,people coming in and out, where
do you put those firewalls?
Logically, I know you say edge,but is that in every MPLS

(08:09):
circuit that's terminating, ormy routers?
Is that just the internet?
Is it my get VPN router?
I have connected in a datacenter, like, where is the edge
that you're protecting All ofthat?
The edge could be anywhere.
It could be anywhere.

Speaker 2 (08:21):
Right.
So you're looking potentiallyinternet.
It's the obvious point whereyou're going to put a firewall.
But what if you have stuffinternal?
What if you have sensitive dataprojects, things like that that
you want to protect and youwould put firewalls in those
locations?
Because the idea is put likeACLs we put them on the inside

(08:41):
interface, as close as possibleto the source, and we block the
traffic as close to the sourceWith a firewall.
We kind of do the same thing,except we're moving that
perimeter from the outside in.
So the networks I've supportedin the past we'd have it at the
equivalent of the internet andthen we might have data centers
where we also have a firewalland you would actually be dual
stacked.
You'd have a firewall at youredge of your network but then in

(09:02):
the data center you haveadditional firewall rules
because you want to protect,kind of that network of people
that are sitting in that inbetween area, your users and
what they're allowed to go intoin the data center.
And if you have like systems,like I did, thin client work, if
you have thin clients in thelake that are sitting there
providing desktops, you want toprotect within that data center
where they're able to transitthrough the network.
So the firewall placement isall about where you want to

(09:23):
protect within that data centerwhere they're able to transit
through the network.
So the firewall placement it'sall about where you want to
control access for your hosts.

Speaker 1 (09:31):
So let's pull on that string just for a second.
So let's say we have asensitive area, you want to
control access.
There's a resource that youdon't want everybody to be able
to get to.
Again, my point of reference isroute filtering.
So in the environments Imanaged, every client was given
a slash 24 subnet.
That's what we let in throughour route filters.
We'd have route maps tied toprefix lists and you were only
getting in and out of our WAN ifyour subnet fell within a

(09:54):
particular.
But that's not to say that thatsay bank customer coming in to
get a service once they're in toyour point.
I guess there could be sensitiveinformation internally.
So this is just opening up mymind because I'm like well,
there are customers, we gavethem the subnet, we're letting
them in.
Why can't they go everywhere?
Well, to your point, maybethere's a federal zone with
classified stuff in a particulararea that you need special

(10:16):
access for.
And just because you're throughthe routing, the route filters,
doesn't necessarily mean youshould get to the irx, irs
database, right.

Speaker 3 (10:24):
That right we may or may not be managing, so that
that's helpful for me if I cameto your house I wouldn't go into
your bedroom and dig throughyour drawers, right?
But ideally, ideally, someone'snot doing that part of putting
firewalls everywhere.
Putting security everywhere isabout making sure that you
you've worked in data centersbefore you have the.
You have the turnstile thateverybody gets into a data

(10:45):
center, you get through there,but then you have your man traps
when you get.
You've worked in data centersbefore.
You have the turnstile thateverybody gets into a data
center.
You get through there, but thenyou have your man traps.
I mean, you've got to eithercard in or, in some cases, in a
really secure area, they've gotsome kind of biometrics that are
getting you in there.
Security is the same way andit's all about putting those
boundaries there.
And while, yes, subnets soundlike they're sufficient, the
problem is that not everybodythat's on the same subnet should
have access to the same thing.

(11:06):
Like, for example, you're not aserver guy, is there a good
reason that you or me, who's nota server guy, should have
access to those servers andyou're like no, but that's what
credentials are for.
But that's just us employeeswho probably wouldn't go there.
When you have people who are inyour network with malicious
intent.
They're not abiding by the.
You don't have the propercredentials, so you're not going

(11:26):
to be able to log in.
There's a lot of other waysthat they're trying to get in.

Speaker 1 (11:29):
That makes sense and I don't mean to ask, I don't
want to say dumb questions.
I know I'm asking reallysimplistic questions, but these
are just some of the thoughtsI've had, because I'm the WAN
guy and we have firewall peopleand I don't have to worry about
it and when it doesn't work, Iknow my transit's good, I kick
it to the firewall people.

(11:49):
But that doesn't help me learnwhat you guys know and I think
that for me at least in the datacenter, the more systems I can
learn, the better I become at myjob.
If I know about applicationsand a little bit of coding, I
can talk to the app people whensomething doesn't work.
Same with security right, likeoh, this I might be able to tell
as a routing guy like oh, lookslike firewall, like I can see
it getting here.
They probably didn't submit theright, the right port or
whatever.
But so that's all but that.
So the last question I guess Iwant to ask in this old school
historical context of the edgeand sensitive information you

(12:13):
helped me get that in my head,matt, one of the places I worked
we didn't know where thefirewalls were, we couldn't
access them and and that wasprobably by design.
But one day somebody sharedwith me a map of all of our
firewalls.
There's so many firewalls, sowhat's the strategy?
What's the logic?
I guess it's design, like ifyou're doing security design,

(12:33):
where do you put them?
And if you want to ignore thehistorical edge stuff and just
bring it up to, if it's easierto do it, explain it in modern
day parlance Okay.

Speaker 3 (12:41):
And part of the reason it's easier to kind of
ignore that is because the worldof security is and especially
firewalls is changing, and ithas changed rapidly.

Speaker 1 (12:50):
What we're saying what's changed?
It Like IoT is one thing right.

Speaker 3 (12:53):
Well, right now, the biggest thing that everyone's
going towards is IoT is part ofit.
Right, you talk about thatattack service.
So many different pieces thatare in your network are now
attack-fect.
When a person comes into yournetwork, you can usually assume
they're going to get betweenthree and four IP addresses with
the stuff that they've got,whether it's their phones or
their tablets and their andtheir laptops, maybe their watch
connects and whatever.

(13:14):
They're coming in with a bunchof different things.
But the reason I say things arechanging is so I work primarily
with firewalls.
The vast majority of the teamsI'm working with aren't even the
security teams.
They're actually the networkingteams, because in many cases
they're beginning to collapse.
That firewall goes here,routing device goes here, and
now your router or your firewallis your router, that's Fortinet

(13:37):
, that's the Firepower, that'sAlo Alto boxes.
That's the big thing thatcustomers are starting to do
with them is they're collapsingthat core and edge into a single
security edge.
Because then you're able to doit at that layer three boundary,
you're able to monitor thetraffic between this VLAN and
that VLAN.
Your firewall becomes yourrouter.

Speaker 1 (13:56):
So I have a question yeah, go ahead.
Like you and I worked atComcast as an example I don't
see.
My question to you is whomanages the network and who
manages the security for thenetwork?
And if it's one device, I can'tsee a company like comcast or
other places.
I've worked making me thenetwork guy, now the security
admin, in a firewall like so.
Does that change?
The role is changing to yourpoint.

(14:17):
If you can replace a routerwith a security device that has
routing built into it, does thatcreate any problems
organizationally for the?
There's DMARCs, usually inroles, and now you're joining
them.
Does that mean the router guyhas to learn security?
Does that mean we get rid ofthe routing people because
security can do it all?
Like what have you seen?

Speaker 3 (14:36):
I would say more so in enterprise than when you look
at.
When you look at Comcast youwant to think that's more ISP.
But for the guys that werehandling our credentials there
or the network that you and Iwould connect to to get to other
Comcast stuff, they very wellmay also be the firewall guys.
That wasn't the network you andI were handling.
We were handling the networkfor the MPLS circuits and the
EPLs and ELANs and all thatstuff and in those cases we

(14:59):
weren't handling securitybecause we had customers who
were looking for end-to-endconnectivity and they were
putting their firewalls in place.
But in the case of anenterprise network, your
firewall guys are as often asnot your network guys.
But you asked a questionearlier which I think was
important, which is is there akind of a path?
And I know some people whostarted out in security and it's
harder for them to do firewallsthan it is for a network guy

(15:23):
Because a network guy already weunderstand how things connect.
We understand just basic rulesof routing and where I might
want to put in some ACLs All ofthat stuff we already get.
We get traffic flows.
People who don't understandnetworking don't necessarily
understand traffic flows.
They don't understand that whenI say VLAN, which is something

(15:44):
on a switch, that's really alayer three boundary, they don't
understand that that isactually something that has to
be routed, whereas we get thatinstinct.
So I would say your networkpeople are your best firewall.
I'll be glad to be told wrong.

Speaker 2 (15:56):
No, I totally agree Because, from my experience,
being able to work with routerswitches, understanding routing
protocols that's core,fundamentals to managing any
kind of firewall, because youstill have to set up an IP on
the interface.
You might be able to make it atransparent firewall and it's
layer two, but in most caseswe're using it as layer three.
So we're going to set an IP up.

(16:18):
Then we have to think about theconcept of outside and inside
interfaces.
Where are our securityboundaries?
And then the next level becomeslike building those ACLs and the
things that you want to allowin your network.
Well, a network engineer ifhe's got a really good, she has
a really good network diagramthey should have a really good
idea of what all their subnetsare, what's on the network, and
then they can start building outreally good rules and ACLs and

(16:40):
all the things they need toallow traffic out of the network
.
They just have that inherentability because they've got all
this documentation.
That's how I've always beensuccessful in my firewall
management is I have gooddocumentation, I know what's on
my network and I make sure whenpeople are asking for things, I
understand why they're doing itand what these rules are.
Having that routing, switching.

Speaker 1 (17:06):
Experience as a network engineer is crucial, I
think, for just managing, noteven getting into the day-to-day
operation of it, and that seemsto be the progression.
Like it seems like the firewall.
Both of you, right, like youmanage networks.
I guess before you weremanaging firewalls and other
buddies I've had.
So okay, old school historicallike was there a time?
Was there pre-firewall time?
Have we always had firewall innetworks?
You have to filter at layerfour and above.

Speaker 3 (17:26):
You can go back to the PIX firewalls.
Those were some of the first.

Speaker 1 (17:30):
PIX were the first.
I remember the ZoneBasefirewalls and the Cisco routers.
I managed.

Speaker 2 (17:34):
And I'd say one of the things you've mentioned
earlier is like, why even havefirewalls?
And there's this idea today,like everything has collapsed.
Switches can do routing,routing can do some bit of
switching, and then firewallsare doing routing and those
devices still are purpose-builtto do certain things.
You don't necessarily want totake a router and take a full

(17:55):
BGP table, like that's not athing.
Can you run BGP on yourfirewall?
Absolutely, but you're going totake performance hits
potentially and there's otherthings you have to account for
when you're managing thatfirewall.
So, yes, the firewall can be arouter, but you have to think
about where it is on yournetwork and whether it should be
the first size accordingly saidoh, we're collapsing routers in

(18:16):
the firewalls.

Speaker 1 (18:16):
I'm like I didn't want to ask and it sounded
adversarial, but like are youhosting the BGP table?

Speaker 3 (18:22):
If you get the right size box, absolutely, we have
customers doing it.
So where I used to work, whichwas a school district, it was a
weird giant flat layer twotopology and we had 300,000
students going through a singlepair of firewalls which were the
layer three device.
Now there were I shouldn't saythey were the only layer three
devices, but for the most partthat was all of the egress.
Was there?
All the BGP configuration wason the firewalls.

(18:46):
Now we weren't taking in theentire routing table but we
weren't hosting a lot of stuff.
There weren't great reasons forus to take in the entire
routing table but again, 300,000users going through these were
really beefy boxes.

Speaker 1 (18:57):
I don't mean to harp on the details what are we?
I know I've asked this beforeso I apologize for repeating
myself but what are we filtering?
Know I've asked this before soI apologize for repeating myself
, but what are we filtering inthe firewall?
In my mind it's layer four, soit's ip and protocols.
And I'm only saying that becauseI remember when application
teams would have a new app thatwe'd have to open up in the data
center, they would submit thefirewall request and be well,

(19:18):
here's our ip, here's the tcp ipports that we need opened and
and firewall people would createrules.
So is that old school edge like, oh, that was the old way and
now we need opened and andfirewall people would create
rules.
So is that old school edge Like, oh, that was the old way and
now we're cause I don'tunderstand the difference
between that and then what youcall like next generation
application aware.
So I don't know if we can havea discussion around like so is
my first statement thatfirewalls, at least historically

(19:40):
or at a minimum, are filteringat layer four.
Is that fair?

Speaker 3 (19:43):
That's table stakes.
Everybody's going to do that, Iunderstand, but that's the
difference between a firewalland a router.

Speaker 1 (19:47):
A router can't filter layer four, right, so any?

Speaker 3 (19:51):
router non-next-gen will do and that's where you're
doing it at the port level.
But that is really pretty basic.
So take SSL VPNs right.
Ssl VPNs use port 443.
If you're going across an SSLVPN or whatever, but they're
often just using your standardinternet ports, but with the
next-gen firewall, I can blockthings like SSL VPN With the

(20:12):
next-generation firewall.
If I'm doing things like full,deep packet inspection, which
means I'm essentially doing aman-in-the-middle attack and I'm
seeing every little nuance inthat packet that's going, I can
do things like say okay, youwant to go to Facebook, all
right, our organization has aFacebook page.
Here's what you're allowed todo.
You're allowed to view Facebook, but you're not somebody from
the organization we want to postto Facebook.

(20:34):
We're going to stop you fromposting to Facebook.
So we can take applicationslike Facebook.
I know website application,however you want to define it.
If we get really granularapplication, however you want to
define it, if we get reallygranular, we can block it at the
level of you can post.
You can read School districts,for example, are using deep
packet inspection to inspect theGoogle search that a student

(20:55):
does or the chat messages that astudent sends over Google chat.
So if they say something thatseems like bullying.
School districts can flag thatkind of stuff.
Like that all falls undersecurity, not necessarily that
you're the guy configuring it.
A lot of the next gen firewallshave some of that stuff built
in.
So don't think about youconfiguring it.
You're kind of applying somebuilt in stuff and then you're

(21:17):
monitoring it or that maybe withthe security team, the guys
that that's all they do withsecurity are looking at is the
logs for that stuff.
But you can get really, reallygranular next gen firewalls way
beyond ports.

Speaker 1 (21:28):
So right.
So that sounds fascinating andmagical and I want to dig into
that.
But I keep asking very basicquestions and you keep going to
outer space.
So is there anything in betweenlayer four and next gen or or
did and that sincerely like, didthe jump happen of like you're
just filtering it?
Layer four to like woofapplication aware deep packet

(21:48):
inspection, like did theindustry jump or was it
incremental?

Speaker 2 (21:51):
So I know at one point the firewall services
module, because they startedupgrading some of that code.
You went from the ability tojust do your application layers
or your transport layers.
So you're doing TCP, udp,you're getting your applications
, nfs, whatever those thingsmight be.
They released identityfirewalls.
That was the next progressionwhere, instead of just

(22:15):
monitoring the firewall andtrying to see what packets and
IPs and people were trying toget to, they wanted to do the
domain control and say here's mylist of users, here's the
groups, and this is where thosegroups are allowed to go to.
So now you have two layers ofinspection Is this person on a
network that I want them to comein on, and is this person in
one of the groups that'sapproved to come into the

(22:36):
networks?
And now you're not onlymonitoring them by the IP
address and location, they'realso getting that user state
data from the domain controller.
Like that was the first big leap, I would say, in firewalls.
And then, at least from a Ciscoperspective, they got the
firepower stuff, they pulledthat into the ASA and now you
can do malware detection, youcan do web URLs and you can

(23:00):
still do the identity stuff.
So you've got transport layer,you've got identity, you've got
URL and malware and all theseother different things that you
can track.
Now it just has continued tobuild up.
We're getting into this wholeworld of AI which everybody
talks about.
What's the AI doing?
How's the AI coming in tointerface with your devices, to
provide the security and threatintelligence on your network, to

(23:20):
provide the security and threatintelligence on your network.

Speaker 3 (23:23):
Essentially what Matt's kind of talking about is
we're going from what an oldschool firewall was, which was
can this machine on this subnettalk to this machine on this
subnet we moved to can thismachine with this user, or can
this device with this usercredentials talk to this device
with this user credentials?

(23:44):
And I think where we're reallygoing, and this is what you're
going to be, what we're seeingbig in the industry, is that the
firewall kind of becomes thiscentral brains of a lot of other
security components.
So zero trust is a part ofsecurity and I know this is
supposed to be a firewall one,but the problem is Well, no, I
was hoping to touch zero trust.

(24:08):
That's on my list of things.
And it's hard to talk aboutfirewalls without starting to
talk about some of the othercomponents that can talk to your
firewalls.
So what zero trust does is itgoes from okay, this machine has
this IP address, or forget themachine to say, initially, we
just know IP address andcredentials, we've talked about
that.
What zero trust allows us to dois it allows us to say this
machine that meets this criteriaso company laptop that's on our

(24:28):
active directory, that has ourantivirus, that currently has no
malware detected, that ismanaged by this user can talk to
this machine over here.
It's a ton of different things,but what's nice about it?
Current firewalls, the nextgeneration firewalls.
They're constantly checking.
So the analogy I use is ifyou've ever been to a bar with a

(24:49):
bouncer, that bouncer initiallychecks your ID and he's a guy
you can go in and then you gointo the bar, right, and then
it's free reign, you can go, getall the drinks you want.
There are some bars that don'thave a bouncer.
So you go up to the bartenderand he checks your ID.
He's like I'll give you a drink.
You go up, you're like allright, let's order another beer.
He looks at your ID, you canget a drink.
Next-gen firewalls that's areally inefficient way to check

(25:11):
people's credentials.
But next-gen firewalls can dothat efficiently, right, they're
constantly checking does thedevice meet a certain criteria?
So if somebody who's currentlyon your network downloads
malware, for example, anext-generation firewall that's
connected with your othersecurity appliance is able to
actually stop that user mid filetransfer and say, okay, you

(25:32):
can't go anywhere else in thenetwork to get it fixed.

Speaker 1 (25:34):
That's the new stuff I didn't know.
Here's why I wanted to havethis conversation, because I'm
like, oh, we're just filteringit, layer four or whatever, like
I don't need to learn this.
But like, holy crap, I didn'trealize how many.
I didn't know the firewall wastalking to other systems.
You said active directory.
So what kind of systems or whatkind of things are talking to
the firewall to give it all thatintelligence so it can make
decisions?

Speaker 3 (25:54):
I'm going to say active directory, or I know it
from Fortinet's side, matt knowsit from Cisco's side.
Anybody that's on here thatknows Palo knows it from Palo's
tools and I can tell you we'vegot endpoint security appliances
that can talk to our firewalls.
We've got a knack, just likeMatt.
They've got Cisco ice.
We have Fortinac.

Speaker 2 (26:11):
Cisco's secure client .
When you connect to VPN, like,all of these things collect
telemetry from the device,anything that you're doing.
It all becomes a point ofreference for what the person is
doing on the network and howthe firewall should respond.

Speaker 1 (26:27):
How are they sharing information with each other?
Is it API calls?
Is it some other magic?
It's a lot of API stuff.

Speaker 3 (26:32):
And it doesn't even have to be within the same
vendor.
So Fortinet can work with CiscoIce, we can work with Cisco
Umbrella, we can work with Duoor third-party MFA solutions.
The same is true with Ciscoright.
They can work with othervendors as well.
That's what's becoming reallynice with today's security.
Though, is today's securitystuff is it's a broader platform

(26:53):
.
So it's you come.
If you, as a network person, getinto the world of security, you
have a leg up on anybody elsewho's just been handling the AV
and they've just been handlingthe endpoint, or maybe they've
just been handling NAC, becauseyou really understand how
everything communicates.
And that's the part that, again, I don't want to harp on it,
but that's the part I think, asnetwork engineers, we have that

(27:15):
others don't have, that are inthe security world, because we
just know how things talk.
We know, for example, you canhave multiple routers in an
environment, and as networkengineers, we can figure out
which of those routers wasmaking that routing decision.
Other guys just look at it andthey just see a bunch of routers
.
They don't know where decisionswere made.

Speaker 1 (27:32):
And like layered security is, is, um is a
strategy, right.
Like you, again, I know thatwe're talking about some really
cool stuff, but even likesomething as basic as like VLAN
segmentation, right.
Like if somebody gets into anetwork and they're they have
bad intentions, if you havesegmentation, like in my home
network right now, everything'sin one VLAN.
It's very embarrassing.

(27:53):
I tried to segment it.
I couldn't get it to work, Igave up.
I have to read moredocumentation.
I have a maybe Ubiquity UDM Proand I tried to do it and then I
couldn't access things and Ipanicked and gave up.
There are many layers, right.
One of the basics would be likesegmentation, like if you have
VLANs and everything segmented,hopefully you can't hop.
If somebody gets in, they canonly access what's in that one
VLAN, right, like in theory.

Speaker 3 (28:15):
but that's you can.
You can even say where did thatconversation start?
So, for example, I have smarthome stuff in my house.
I can reach out to my smarthome devices, but my smart home
devices cannot start aconversation with something on
my home subnet.
Does that make sense?
So I can make it a one way andthen you can respond to
communication, but they don'tget to initiate the call.

Speaker 1 (28:34):
If that was that is that because you set up those
rules and put everything insubnet?
Right, right, right.
So the problem is now, at leastfor me, which is why I wanted to
segment my home network.
I have IoT devices.
I have all the stuff connectedto the internet.
I did DNS filtering at onepoint and I saw just how chatty
these things were and how muchit blew me away.
But if someone were to get in,they can access anything in my

(28:57):
Now.
Listen, it's a home network.
I'm not housing governmentsecrets or a billion dollars of
crypto that you could steal, butit's not a great security
posture, right?
If you're in, you get the keysto the kingdom, whereas if I
have it segmented, like to yourpoint, all my IoT stuff should
be on its own thing.
It should only get internetaccess.
It shouldn't talk to anythingin my house, right, but I don't
have that set up because I'mjust a route switch guy and I

(29:18):
don't know anything aboutsecurity.
I tried and failed.
You said something earlier thatgot my attention and I've heard
people say it, but I don't knowwhat it means Deep packet
inspection.
Can you kind of explain to mewhat that is and what it does?

Speaker 3 (29:31):
Do you want to run with it, matt, or do you want me
to take this?
I'll let you run with it.
So when you look at, just takea website, websites are HTTPS
and I'm going to tell you rightnow you're not going to believe
this, but I'm a network guypretending to be a security guy,
so some of this stuff asecurity guy would be able to
really really go into detail onit but essentially, stuff going
over HTTPS is encrypted.

(29:52):
So you've got encryption.
That's happening so that onlythe initiator of the
conversation and the personthey're talking to are supposed
to be able to encrypt anddecrypt that communication.
What deep packet inspectiondoes is it puts a firewall in
the middle.
Smack my own mic here, sorry.
Puts a firewall in the middle.
The person like me let's sayI'm trying to go to googlecom

(30:12):
intercepts my package and says,okay, let me see what you're
typing.
Okay, you're trying to search myencrypted packet Correct and
it's a lot to do with signaturesand with help me out in the
chat here, guys, which word I'mlooking for?
I can find it, but I'm actuallylooking for the word.

Speaker 1 (30:25):
They don't know we're teaching them security.
Oh, they know.

Speaker 3 (30:29):
The little thing with the lock on your HTTPS sites.
What is that called?
Oh, that thing, pki.
If I couldn't remember the wordcertificate, see, I told you
I'm masquerading as a securityguy.
That's why anybody can do thisif you're a network guy.
No, the certificates.
So essentially what theFortiGate or I'm sorry, I work
here, you got to forgive me whatessentially the firewall is
doing with the packet inspectionis it's doing a man in the

(30:49):
middle attack and it'sdecrypting that packet.
It's your certificate thatyou're usually signing things by
is actually the firewallcertificate, not the end website
.

Speaker 1 (30:59):
And then, once I decrypt it Decrypting an
encrypted packet that doesn'tsound very secure.
That's why I wanted to dig intothis, because I've heard deep
packet inspection I had a hunch.
It was like seeing encryptedtraffic, which breaks my brain,
because you're not supposed tobe able to see encrypted traffic
.

Speaker 3 (31:12):
So we'll give it to an analogy instead of the
technical jargon, because, again, I'm not great with that
technical jargon.
Let's say, for example, you andI want to have a secure
communication and the way thatwe do it is I have a little box
with a lock on it that you canhave a key to lock it and I have
a different key that unlocks it.
Right, that's encryption.
Right, that's how it goesacross the internet.
What deep packet inspectiondoes is it puts a thing in the

(31:34):
middle that says okay, look,andy, if you want to send a
packet to Matt, you first haveto send it to me.
I get to unlock it, I get tosee what it says, and then I'm
going to lock it with my key andthen I'm going to send it to
Matt.
But how does the firewall?

Speaker 1 (31:46):
get the unlock key.

Speaker 3 (31:47):
It's because the firewall and the website are
doing the actual communication.

Speaker 1 (31:51):
So the website communicates with the firewall
as a proxy, almost.

Speaker 3 (31:54):
Correct, and it's okay.

Speaker 1 (31:56):
Yes, well, but so it's a man in the middle attack
basically, but Not basically itis.
How is that?
I understand why that's goodfor the firewall.
If I were a hacker, couldn't Ijust put a firewall where I want
to hack and decrypt everythingand be in?
I know that's probably not asmart thing to say but yes and
no.

Speaker 3 (32:13):
The person on the other end has to accept a
certificate, so typically on acorporate laptop certificate
management with SSL.
Inspection is the biggesthurdle for everybody.
It's why deep packet inspectionis something we should do, but
I shouldn't say nobody, but farfewer people do it than should.

Speaker 1 (32:29):
But the same people managing the security in the
organization with the laptopswould have to also be
administering the firewalls,because somehow they have to
make it all work together.
Like you just can, can't comein, put a firewall in and
decrypt https, okay because thecertificate needs to be
installed on that laptop, right?

Speaker 3 (32:44):
the certificate that talks to the firewall needs to
be installed on the end and theend user's machine it's not a
pre-shared key, but same likecorrect an ipsec tunnel.

Speaker 1 (32:52):
We got a thing, we're sharing it.

Speaker 3 (32:53):
Okay, all right, all right yeah, again, this is, this
is gonna go on the internet andwe're going to get completely
blasted.

Speaker 2 (32:59):
That's why I let you run with it, yeah, but just to
kind of like provide someinsight on what the firewall is
doing.
So this gets into thedifference between the router
and the firewall.
The router, or I should say thefirewall, you've got those
inside and outside interfacesand I actually ran into this as
a issue at one of my customerstrying to troubleshoot the

(33:20):
network.
The firewall has CPUs thatprocess all that data and
there's internal interfacesbasically on those firewalls
that as you transition from yourinside to your outside
interface, the CPU processes thepacket.
So it's kicking it up to makesure it's matching ACLs or if
it's permitted, not permitted,and that's where that deep
packet inspection is occurring.

(33:41):
So it's kicking it up to makesure it's matching ACLs or if
it's permitted, not permitted,and that's where that deep
packet inspection's occurring.
So if you've got thecertificate, this backplane is
doing this inspection.
The issue specifically just kindof talk about it was that those
internal interfaces can getoverrun if you've got a lot of
people sending lots of smallpackets, just like a router
interface.
If you're getting too muchstuff, the CPU starts to drop
packets because it can't processfast enough.
You just have to kind ofreconfigure the firewall, I

(34:04):
should say, to process thosepackets more efficiently.
But the firewall is essentiallya server where it's processing
these packets, it's making surethings are allowed to do it, all
the things that firewall doestoday.
These are big servers now thatare multi-core, lots of memory,
storing all this data, bufferingand then sending it out to

(34:25):
whatever host or serverapplication you're supposed to
go out to.

Speaker 3 (34:27):
Are your eyes glassing over yet, Andy?

Speaker 1 (34:29):
No, no, no.
So last week we talked to AnitaChatterjee, a very brilliant
friend who's an EVPN VXLANexpert, and by this time my eyes
were glazed over, just becauseyou really got to go slow with
me on that stuff.
I think because something yousaid, jeff that a lot of this
stuff is relatable to thenetworking things that we know.

(34:50):
It's kind of an add-on.
It's not magic necessarily, andI do want to hit zero trust at
some point.
But I'm looking at the chat,I'm looking at their like.
Somebody wrote something aboutsignatures.
I don't know what a signatureis.
Can you guys like what the hella signature is?
What they're talking about?
I've heard it used in security.
Is that just the traffic?
Like, is it a fingerprint ofthe traffic?
Like what you guys were talkingabout?

(35:10):
Like here's the person, here'stheir permissions, here's where
they're coming from.

Speaker 2 (35:14):
I guess that's a signature, like an identity of a
similar, similar, like virusscanners had signatures that
detect viruses and malware andthings like that, like there's,
there's like a known fingerprint, that's this is what the, the,
the bad actor or the thing wouldlook like and this you should
block it because it matches thesignature that's kind of one of
those broad terms.

Speaker 3 (35:33):
It also can mean a couple of different things, but
yes when I, when I hearsignatures, that's kind of what
I think about is, you know,signatures and av and all stuff
like that.
Again, I'm not really an av guy, I'm not an endpoint person.
I tend to be network guymasquerading as a security guy
on the firewalls.

Speaker 1 (35:45):
But to your question on zero trust, we got zero if we
want to get there yet I knowthat's probably I, I'm right
like I well, so I'm readingthrough some notes that that I
took and what made me think ofit was you're creating a barrier
between trusted and untrustedright.
Maybe that's the old school way, with zero trust, and I guess
we'll just jump in if we wantbecause we're here, but there is
no trusted right.

(36:06):
It's in the name, the name isthe recipe, but it used to be
zones and this can talk to this,but not that.
How the hell do we not trustanything and how does anything
work?
Do you guys?
Are you familiar with zerotrust enough to like speak about
it a little bit?

Speaker 3 (36:19):
I can't go back to my bar analogy right.
Zero trust is I'm worried aboutyou, Jeff.

Speaker 2 (36:24):
There's a lot of bar analogies here it's been a day.

Speaker 3 (36:28):
No.
But going back to the baranalogy, you've got the
bartender that checks it everytime.
That's somebody who trusts Noah, his jobs and the line.
But if you went up and ordereda water, he wouldn't check your
ID for that right he's onlychecking your ID for the thing
that he needs to know your IDfor.
So zero trust is all aboutchecking and making sure that
the machine you're coming in onis safe, that the IP address

(36:48):
you're coming in on is the IPaddress that we expect.
The user's credentials are theones that we're looking for and
the destination that you'regoing to is one that the person
that meets all those criteriason that box is allowed to go to.
But you don't necessarily haveto apply zero trust at every
part of your network.
So the parts that it doesn'tmatter.
Going out to the internet, Idon't care if they're going out

(37:09):
to the internet.
What I care about is maybe Idon't want to go into certain
web pages, but that's not zerotrust.
That's web filtering.
Zero trust is more about are youallowed to traverse laterally
inside of my network?
And if you are, then I have toknow that you're on a safe
device.
I have to know that yourcredentials are right.
I have to know that the machinethat you're coming in on is
safe and that's all.

(37:29):
Zero trust is, and it's a lotof times I think it gets pitched
some product, but it really isis more of like a framework,
it's a, it's an idea, and ittakes more than just one thing.
It often takes some kind of anendpoint plan and then it takes
the firewall or some devicethat's doing the checking in the
middle as you try to traversethat network.

(37:50):
Zero Trust is just that idea ofchecking it constantly.

Speaker 1 (37:52):
Do you guys know who started that?

Speaker 3 (37:53):
Do I know who started ?

Speaker 1 (37:53):
Zero Trust.
What company Rhymes withSchmoogle?

Speaker 3 (37:57):
Oh, actually I didn't know that.
Yes, I know you didn't knowthat Google was.
I forgot about that.

Speaker 1 (38:01):
I worked a contract and we were creating some stuff.
For whatever reason, I went updown the rabbit hole.
I was working on some securitystuff for cloud.
I learned about this 2008 hackof Google and that was the.
Google went down for X numberof whatever, and it was this
really bad thing.
As it turned out, they werelike well, how do we prevent
this from ever happening again?
And I can see the lady's face.

(38:22):
I forget her name, but she, Ithink, was like we can't trust
anything anywhere and we need tocreate a framework around that.

Speaker 2 (38:28):
And here we are, so thank you.

Speaker 1 (38:29):
Thank you, schmoogle for Schmoogle, all right, so
zero trust really have Iunderstand firewall more now
than I did before?
Oh, and one day I just jumpedback into my head Did public
cloud kind of make securingnetworks harder?
And the reason I say that?
I've worked in data centerswhere public cloud appeared and
it just complicated the hell outof almost everything.

(38:52):
And I don't I assume it hasramifications in like do you the
security, do firewalls carewhere it's coming from?
Does it matter if it's comingin public cloud, or do you just
see that as another place?
People are coming in and it'snot that big of a deal?

Speaker 2 (39:04):
I would say it's another source of traffic.
It's one more thing that youneed to be aware of and I would
say just let's look at thepublic cloud side.
If you set up AWS, azure,whatever you have to set up
firewall rules to allow thingsinto it.
Like it inherently blocks thattraffic, deny all, deny all, and

(39:26):
even going out it doesn'tnecessarily let everything out.
So you've got to start buildingrules.
So now you need to startsetting up not only the rules
for what can leave the cloud,but where do you want that
traffic to go and what IP shouldit be coming in on and what IP
should it be going to.
So, from a complicationstandpoint, it's one more thing
to keep track of, because nowyou've got these big networks in

(39:47):
the cloud and then you've gotyour network in the on-prem data
center that you want to allowtraffic and services to flow
between these two entities.

Speaker 3 (39:56):
I think the other problem with some of the public
cloud stuff is that a lot of thenetwork stuff in there is built
by server guys who are notsecurity guys and they're not
route switch guys.
All they really care about is Ijust need to be able to get to
this and I need this thing to beable to talk to this thing, and
a poorly built cloud can allowall of your things to talk to

(40:19):
one another.
And I think what often happensis, as people decide to start
jumping into an Azure AWS typeof environment, they don't think
security first on that.
They think they're moving theirsmart guys that understand
service and those guys arestarting to build things, and
now those guys have a little bitmore of the keys to the kingdom
.
They can build a VNet to makethings talk to one another, and

(40:39):
what I think it's done is it's alittle bit letting the tail wag
the dog with some of that, thestuff that normally the security
guys would protect the serverguys from themselves on.
If you're not careful they cankind of run amok.
So a lot of that kind of comesdown to depends on the company,
depends on what strategies theyhave in place.
Are they thinking securityfirst.

(41:03):
We hear five nines with thecloud and I think people tend to
forget that that's uptime,that's not security.
The cloud doesn't care aboutsecurity.
They've got some securityappliance stuff up there, but
it's not the same thing as whatyou're paying for and I'm not
trying to knock cloud- I get thebenefit of

Speaker 1 (41:17):
it and it's amazing, but as a network person, it made
troubleshooting complex, Likethree in the morning.
You get a call, something's notworking and you get on the
bridge and you're like where isthis application when?

Speaker 2 (41:29):
it was all on-prem.

Speaker 1 (41:30):
I know what to check and what shouldn't be working
when you're in multi-cloud.
If you're in four CSPs and youget on a bridge and something's
broken, like well, where is thisthing and how does it work?
Like just so, I'm assuming froma security standpoint.
It would also complicate thingspossibly a little bit, like OK,
where is this thing?
Or how to.

Speaker 3 (41:47):
There's some similar complications in cloud that I
think we tend to forget withthings like MPLS or SD, when
security was kind of forgottenin those because people just
treated MPLS circuits as sidetraffic.
Well, that meant that as peoplestarted doing more network
segmentation they kind of forgotthat MPLS was another venue
into their network from sites.

(42:08):
That tends to be another placewhere firewalls don't always sit
at the edge of your east-westtraffic on MPLS.
The same thing is true ofSD-WAN.
It's why everybody is nowtalking about secure SD-WAN.
The same thing is true ofSD-WAN.
It's why everybody is nowtalking about secure SD-WAN.
It's all about putting securityappliances at the places,
trying to put them at the placeswhere there's that possibility
of things talking to one another.

(42:29):
It's really like your router,your layer three stuff where
things could go between subnets.
That's largely where yourfirewalls are, and the cloud
makes it more complicated thansome of the other stuff does too
.
That's interesting too, andthat's what where your firewalls
are, and the cloud makes itmore complicated than some of
the other stuff does too.

Speaker 1 (42:39):
That's interesting too, and that's what happens in
these episodes.
You're like we'll go 30 minutesan hour and a half later.
I'm like oh my God.
But you say something whichsparks again to the earlier
conversation, like where to putfirewalls and what traffic are
we inspecting?
So if you're runningmicroservices and 80 filtering
the server to server servicescoming up and down, or are you
like you might?

Speaker 2 (42:59):
right, so on you.
How big that, I guess thatmicroservices environment.
Right, and so what thatmicroservices environments like?
What is it?
Two different microservicesenvironments talking to each
other?
Should they be talking to?
Even going back to vxlan, nowyou're getting into service
chaining with the firewall,where you're allowing a vtep to
talk to another vTEP, or Ishould say, a VNI to talk to

(43:20):
another VNI, but it has to passa firewall before it can even
process to the next segment ofthe VXLAN network.
So again, this is where thefirewall has evolved to.
It's not just sitting at theedge of your network, it's
sitting in the middle of yourdata center.
Now, so it's not at the edge ofthe data center, it's in the
middle of all the eSportsactivities.

Speaker 1 (43:37):
I would hate to see a modern firewall request for
this next gen thing that we justlike.
So if you're running anapplication with a microservice
architecture, like again, theold school was like here's my IP
, here's the TCP ports I needdone, I can't imagine what the
request looks like.

Speaker 2 (43:57):
Well, here's the 72 services that this has to talk
to, for this application to workLike and by the way.

Speaker 1 (44:00):
Is that?
What is that what thoserequests look like?
It's a lot of.
They have to be more.
They have to be longer thanthey used to be Like, or maybe
there's somebody there's stillsimilar, at least I think
they're still similar.

Speaker 2 (44:10):
I'd say the bigger issue is you get into it's not
just a data center now, becauseyou've got these multiple points
.
You've got the middle of thedata center, the edge of the
data center.
What if it wants to talk toanother data center.
So you've got multiplelocations where you're managing
data.
So there's more firewalls inthe path potentially to a host.
For a network engineer, it'svaluable for them to understand

(44:34):
that device on their network,what it's doing, what it's
protecting and how it with theirnetwork.
So hopefully network engineersare managing them and they're
getting good direction fromtheir security people of what
things should be allowed in thenetwork, what things should be
dropped, permitted, et cetera.
But it's definitely evolvedquite a bit.

Speaker 1 (44:52):
What's the career trajectory?
Like would you want to be aCISO someday, aren't they like
the CEO of no, okay, no, butLike would you?

Speaker 2 (44:57):
want to be a CISO someday, aren't they like the
CEO?

Speaker 1 (44:58):
of no, okay, no, but they're like.
They're the ones that set allthe policy.
Is that correct?
Like in big organizations?

Speaker 3 (45:03):
So Matt was saying something that maybe I think if
you don't work in this world atall, you may it may be easy to
misunderstand.
So he's talking about thesecurity people.
The security people are not thefirewall people.
The security people are theones that are setting up the
policies.
They're the ones that aresaying here's what we need to
make sure we have visibilityinto, here's what needs to be

(45:24):
allowed or not allowed.
That's a group of nerds wholoves data.
So the firewall guys, we're thecable guys, like you started.

Speaker 1 (45:33):
We're the guys that are the network guys, you
implement the stuff right, likethey're almost like security
architects.
I would say right like thearchitects, design yeah and give
it to the and they're not even.

Speaker 3 (45:43):
They're not even designing it architecturally
from a they're.
They're even higher level thanthat.
They are very much.
They don't know how you'regoing to do it, whereas
architects tend to know howyou're going to do it because
they had to get there.
These are the guys.
I don't know how you're goingto do it, but here's what I need
done.
I need to be NIST compliant, orI need to meet this set of
standards, or I need to be ableto pull records from such and
such as email from four yearsback.

(46:04):
They're the ones that come upwith impossible tasks.
We're the ones that have tofigure out how to do it.

Speaker 2 (46:07):
And it's interesting because you asked if I'd ever
wanted to be a securityprofessional, and to that point
where the security people arekind of making these wild things
, like, hey, I want you to dothis.
Wait, it's not going to do that.
It's not a magic box, it couldjust do these things.
I had thought about a career ofgetting into being more

(46:28):
technical as a security engineerand helping people understand,
like, hey, here are thetechnical limitations of the
device and what it can do,because it's just one of those
things.
It helps to have thatexperience and background.
And then I realized I don'twant to deal with security.
I like protecting things andmaking things secure, but I
don't want to be in that kind ofday-to-day of creating policy.

Speaker 1 (46:46):
Daniel Pelfrey in the chat just said something that
kind of rung true for me.
He said you need to understandthe workflow of your application
, whether on-prem, hybrid,whatever.
And again I don't mean to sound, I don't want to come off a
certain way, but in myexperience the application
people would submit the firewallrequests and then they would go
to test and things wouldn'twork and they'd say the network
was broken and in the end itseemed to be that the

(47:07):
application people didn't knowwhat they needed to submit to
get the right.
So you guys in your careers, doyou find, see, there's a
disconnect and this is like ahigher order bit that I want to
talk about in other episodes butthe disconnect between
application folks and networkfolks.
And I'll throw security inthere, right, firewalls, cause
it's you're traversing thenetwork.
But if application people don'tknow what they need for their

(47:29):
application to traverse thenetwork and we don't understand
application people like that,unfortunately it was just that
disconnect and we're ontroubleshooting calls until we
do a packet capture.
We're like, oh well, this is,you didn't submit the thing and
you need this port open, like sowhen daniel said you need to
understand the workflow of yourapplications, my experience has
been the application.
Peoples do not understandenough networking half the time
to know what to even submit nofirewall requests.

(47:51):
Have you run like you've runinto that right, like the
network's broken?
We submitted what we needed.
Well, you submitted what Iguess you thought you needed.

Speaker 2 (47:57):
But right, yes, and the firewall is going to tell
you they're going to startsending, let's say, an
application flow and it'ssupposed to go through the
firewall.
Well, you might see permit,permit deny, if you're
monitoring that traffic andyou're like, oh, hey guys, you
didn't put a request in for thisone thing, and that's the one
thing that's keeping theirapplication from working.
100 yep.
So then they go back and theysubmit and policy is pushed

(48:19):
through.

Speaker 1 (48:20):
We've been going close to an hour so I'm going to
quick fire a couple of things Ijust wrote down so we can get
there.
So I don't have you guys onthis time.

Speaker 3 (48:27):
it was a tough question, Matt.
I'm handing it to you.

Speaker 1 (48:30):
All right, well, I wrote down application awareness
, but I think we kind of talkedabout that right, that's Jeff
when you were talking about like, well, you can get on Facebook
but you can write this but readthat, or so somehow the
firewalls maybe I should shut upand just ask, like, what is
application awareness?
Did we cover that already?
I wrote it down because Iwasn't clear on it.

Speaker 3 (48:47):
Application awareness could be again, depending on
what you're wanting to do withit.
If you want to block or allow,that, that's the simplest
firewall thing I could say.
I want to block any type of aproxy application, right.
So that's an application, isproxy stuff that someone might
normally go to circumvent myfirewall policies.
That's an application that Ican be aware of.
But I'm not going in and tryingto name every proxy application

(49:10):
.
Typically it's a category thatI'm clicking.
That's why next-gen firewall,the application aware stuff a
lot of it is behind the scenesnerd magic that as the network
guy I don't necessarily I canlook up what application belongs
to what category and that kindof stuff.
But realistically I'm applying,I'm applying a category filter
or I can get right.
I can say that's the kind ofstuff.

(49:31):
Application is some of itsapplications, like ring central
or stuff like that.
You may want to do specifictraffic steering.
One of the things thatfirewalls can do and routers can
do it too but is policy-basedrouting where I can say, based
off of this source and thisdestination and even this
application, you get to go outthis route.
So maybe something that that'slike voice, it's going to be

(49:52):
super sensitive to jitter.
I might steer that out.
A different interface.
That's something a firewall cando because it's application
aware.

Speaker 1 (49:57):
So you said voice and that just was a perfect segue
into one of these things I wrotedown.
So firewalls slow down thenetwork?
No, no, they don't, but likethere's processing overhead and
like well, right, so, void, yougot to get there, right.
So I guess A can firewalls slowdown your network connectivity,
like I know, when I connect toa VPN, my connection gets way
slower right Because of theoverhead I get.
There's work being done.

(50:17):
Are you filtering voice?
It's UDP.
Do you just let everything gobecause it has to be real time?
Is there filtering of voicetraffic?
I've never filtered it.

Speaker 3 (50:26):
You can, but I mean you don't.
Because you typically know thesource, you typically know the
destination and they end upbeing trusted source, trusted
destination.
So you aren't going to do a tonof inspection, right?

Speaker 1 (50:38):
So I'm going to build a separate policy for that
application, okay, but, like,with the right kind of design,
the right kind of box, you'vespent enough on the hardware
firewall.
Like, shouldn't slow down yournetwork.

Speaker 3 (50:47):
There's always going to be some type of an impact and
the only reason is because it'sinspecting something.
Now you can do some stuff wherethere's no inspection and it
should be fairly line speedRight, but a router slows down
every time there's a hop.
You're going to take some kindof a hit.
It's overhead, right, you'redoing work, it's going to all
depends on what you're lookingat and what that firewall is
trying to do.

Speaker 1 (51:07):
OK, I wrote down threat intelligence, but I don't
really have anythingintelligent to say about it or
know how to ask that question.
But I saw the notes and doesthat mean anything to you?
Or this is just something we'llignore?
Like what does that mean?
So a couple of concept like yes, firewalls detect threats.
Like what is it?

Speaker 3 (51:23):
So we kind of go back to what Matt was talking about
earlier with some of the stuffin the next gen firewalls.
When I think threatintelligence, I think something
like the Cybersecurity Alliance.
The Cybersecurity Alliance is apartnership between Cisco, palo
Alto, fortinet, juniper you canlook it up.
There's a bunch of others, butthe Cybersecurity Threat
Alliance or I'm probably gettingthe name a little wrong that is

(51:47):
a place where all of thesesecurity vendors are starting to
share their threat intelligence.
Threat intelligence is what wegather by having boxes out in
the field.
It's saying I've seen that onebefore.
That's a bad website.
Or I've seen this signature inthis file before.
We know that that's a virus.

Speaker 2 (52:01):
Or I've seen this type of behavior, exactly
ransomware.

Speaker 3 (52:04):
That's your threat.
Intelligence, that's the stuffthat your devices are learning
and AI is really acceleratingthat, because it's not AI like
large language models.
You're chatting with it,although that's coming too.
A lot of it is the ability forthose devices to learn that, to
update a centralized databasethat can then be shared with

(52:24):
other vendors and say, hey,we're kind of all this together
to keep the bad actors out.

Speaker 1 (52:30):
Here's our threat and that's the thing.
Like everybody, there's acommon database Absolutely To
secure everything.

Speaker 3 (52:34):
It's typically every vendor is going to have their
own, but they do share acrossthem.

Speaker 1 (52:38):
It makes sense to not silo that information right.
It makes the whole communitysafer.
Sometimes I ask questions I'membarrassed to ask but what is a
DMZ?
I know it's a demilitarizedzone, but like what is that?
Why do you use it?
Like, does that mean there's nosecurity there?
Like, is that the wild west ofthe internet?

Speaker 2 (52:56):
It's a magical place in between your inside and
outside networks.

Speaker 1 (53:00):
And you can actually understand.

Speaker 2 (53:01):
So the DMZ is kind of like, let's say you've got
people coming from the outsidethe Internet, whatever, maybe
you don't want them on yourinternal network, maybe you have
a special area, specialnetworks system data center that
you want them to go into.
The DMZ can be the sharedresource so people on the inside
can come in and go to the DMZand access resources.

(53:22):
They provide customers.
But when the customers come in,instead of coming into your
internal data center they getsteered into the DMZ, where all
the services and applicationsthat they want to access are
available to them.

Speaker 3 (53:36):
It's often the place where you it's your public
facing often.
It's often where your DMZ it'syour public facing often.
It's often where your DMZ isKind of that public facing or
that section where there's not ahuge expectation of a ton of
security and you're kind ofaware it's a little bit of the
Wild West.

Speaker 1 (53:52):
I apologize but I'm still not getting it and that's
partially because Jeff and Iwere making cute googly eyes
with cups as you were talking.

Speaker 3 (53:58):
I apologize.

Speaker 1 (54:00):
It's a place you said it's between the inside, like
the trusted and the untrusted,or the inside outside.

Speaker 2 (54:06):
So let's back up and go.
It's another trusted area, butit doesn't sound trusted right
Like is it.

Speaker 1 (54:11):
It's less trusted, and why are we creating a less
trusted environment?
What's the point of a DMZ?

Speaker 2 (54:20):
creating a less trusted environment.
What's the point of a DMZ?
So our most trusted environmentis generally where our most
sensitive data is sitting ourclients, our servers, whatever
but we may have data that comesfrom that internal network that
we want to share with anotherset of systems on our network
that customers need to be ableto access.
So generally, the securityrules of a firewall allow
anything from a higher interfaceto go to the lower.

(54:41):
So you update databases fromyour higher interface to your
lower, to the DMZ, and then whencustomers come to access their
data, or when people come in touse your tools or in your
environment, the DMZ is wherethey go.
So it's kind of that playgroundfor them to do things where
they're not doing anything toyour internal network.
And then if there's things in aDMZ that need to be pulled back

(55:02):
into your internal network,you've got specific systems that
are allowed to process thatdata back up to the more secure
internal inside network.

Speaker 3 (55:13):
A couple examples Website right, you're hosting a
website.
You might want to put that inyour DMZ.
I guess someone going to yourwebsite isn't getting they're
not bypassing your firewall toget into your network.
I shouldn't say they're notbypassing your firewall.
They're still going throughyour firewall to get to that DMZ
.
But that DMZ is a separatenetwork.
It's isolated from the rest ofyour environment.
Dns if you have an external DNS, that external DNS might sit in

(55:35):
your DMZ.
You can get to that thing andthings can be looked up there.

Speaker 2 (55:42):
But they're not getting into your network to see
that stuff and another way tolook I was going to say another
way to look at it is maybe don'teven consider it a DMZ, maybe
it's just you have differenttiers of customers that you
allow access to in your networkand those different tiers of
people have different levels ofaccess.
So it might be security level50 and everybody goes there, and
then you've got 60, 70, 80, allthe way up to 100.

(56:03):
And the rules and things thatyou're allowed to get to are
based on all the differentthings we've talked about
tonight your identity, whereyou're coming from, what you're
allowed to have access to, andit's just these controlled areas
on your firewall that are justseparate, isolated networks.

Speaker 3 (56:19):
I host a Minecraft server for my brother and some
of his friends that sits in myDMZ right.
They can get to it.
They have to have credentialsto get to it, but even once
they're there they don't haveaccess to the rest of my network
so they can get to apublic-facing resource like a
web server or Minecraft serveror something like that, but they
can't get in, they can't get toyour inside network.

Speaker 1 (56:40):
It's an island, it's segmented off.
So I see the purpose, but thatdoesn't.
That doesn't increase yourattack surface.
Like now, they're in yourfirewall and they, like they're
not closer to getting in.
Like they're, they're notgetting in.
That's it.
You can't get through the DMZ.

Speaker 3 (56:54):
This is the stuff that they have to be able to
have access to, right, if I'mhosting a website they have to
have access to that website, butif they somehow have-.

Speaker 1 (57:00):
Security vulnerabilities or like bugs or
whatever the hell like.
Can you hack through a DMZ andget inside under certain
circumstances, like, are you atincreased risk by having a DMZ
zone?
I guess is what I'm trying toget at.
Are you putting your company oryou need a DMZ, you have to
have one.
This is the way it works, right?
You don't?

Speaker 2 (57:19):
even have to have a DMZ.
You could just have aninside-outside and call it a day
.
But a lot of that comes back tohow you design your network and
your firewalls and what peopleare allowed to do on those
systems.
If they can sit like, say, weSSH from the outside to the DMZ,
if there's some rule that saysthey get on a server and then
they can SSH into the internalnetwork, well that's a hole that

(57:41):
was in the firewall thatallowed the attacker or whoever
to get in.
And that gets back toapplication flows, how you
design an architect, how peopleshould be able to access your
network and your devices andmaking sure that you secure your
boundary.
You don't want to have a holein the firewall where somebody
could accidentally get into yourDMZ or purposefully get into

(58:02):
your DMZ and accidentally end upin your internal HR system.

Speaker 1 (58:06):
So this is all very helpful, thank you.
And it's one of those termsI've seen and I've just never
been brave enough to ask,especially in a public forum,
because I feel like we're allsupposed to know what a DMZ is
at this point in our careers.
So the last question I havearound that, and then we can
wrap it up with my finalquestion.
So like if I'm hoax, let's sayI want to host a blog for my

(58:27):
server I have at home right andI want it to be publicly
accessible because I want peopleto read my brilliant words.
That would have to be in a DMZright.
It's something I want publiclyavailable to people who can hit
it, but I don't want them to getinto my network, as an example.
But in my mind, if I'm openingmy server up to the internet,
that doesn't seem safe.
Great, somebody is going to getme somehow in ways I don't
understand.
But is that just?

(58:48):
I guess there's other securityparameters you're putting in
place so people don't get toyour server to read your blog
and destroy your server right.
As an example, like layeredsecurity, like we were talking
about before, just because my,just because I have a VM running
on my server hosting a web, ablog, and I put it in my DMZ to
protect my inside but allowaccess for outside people.
That doesn't mean somebody'sgoing to come in and crush my

(59:08):
server.
The worst case they're going todo is somehow log into that VM,
destroy it, and I'll justreplace it right now.

Speaker 3 (59:12):
As a network guy, I think of a DMZ, another subnet,
right, you're just putting theminto a different subnet.

Speaker 1 (59:17):
That subnet's not allowed to talk to your main
home stuff right, like openingresources to the wild west of
the internet and somethingcalled a DMZ just sounds scary
to me, but that's what we do.
That's how it works.
Well, it's because you havesomething you do have to make
publicly accessible, so that Notnecessarily the service sitting

(59:39):
on that web server.

Speaker 3 (59:41):
They're still going through a firewall to get to it,
they're still looking at rules,they're still mainly going
through an IPS, that kind ofstuff.
But in the end you are awarethis is a publicly facing
utility and with it beingpublicly facing, I don't want
there to be a way for them toget there and I keep smacking
this mic To get to the DMZ orthe server that's on the DMZ and

(01:00:02):
then back into my reallyvaluable stuff.

Speaker 1 (01:00:04):
So I know I keep saying I'm done with DMZ.
But last question Amazon is anexample Amazoncom, when I go
shopping.
That's a publicly availableresource.
It's a website sitting on abajillion servers.
Somehow that's in their DMZ.
Right, cause it's publicly.
Can we make that leap?
Is right because it's publiclylike.

Speaker 3 (01:00:23):
Can we make that leap ?
Is anything publicly accessibleon the internet probably
sitting in a dmz?
If it's managed properly from asecurity posture, probably
gonna be dmz to death.
But um, if you were to hacktheir server that hosts that
application that is amazon, thechances are you could not ping
their ceos.
A laptop right that helps.

Speaker 1 (01:00:34):
unless you're jeff or matt, what you're doing, all
right, is net net security I seepeople argue about like it's
not a security, just becauseyou're not something, you're not
hiding anything.
We're changing the outside tothe inside address, right?
Like, is that a layer ofsecurity?
That's why I asked.
I knew it would annoy you.

Speaker 3 (01:00:50):
I'm sure there will be somebody that has more
knowledge on this that willcompletely blow what I have out
of the water, and I just hopethey don't see this.
From my experience, it's anaspect of security, but it's not
Just because you're changingyour outside address to a
different address.

Speaker 1 (01:01:06):
Doesn't really you're ?

Speaker 2 (01:01:07):
not securing that resource.
You can do one more layer.
The NAT can act as one morelayer of security for things as
they transition out.
So by function, the firewallcan add security to the net
translation.
But in and of itself, allyou're doing is creating this
stateful connection between theinside network and what it was

(01:01:28):
translated to to go out to theinternet, and that you've
obfuscated what was on theinside.

Speaker 1 (01:01:32):
Oh, you said obfuscated I know, right, that's
the word you talk about whenyou talk about this thing is
this do it?

Speaker 2 (01:01:38):
is this the word of the day?

Speaker 1 (01:01:39):
It is, you win.
Whoever said obfuscate winsthis round and you won.
This has been reallyinformative for me, and
hopefully the folks listening orwatching were able to learn
some things too.
Is there anything that Iprobably should have asked you
that I didn't Were you like?
Oh, andy, you really should askme such and such.
I have so many questions.
I don't know if I left anythingunasked, but is there anything

(01:02:00):
you guys want to add or put apoint on at the end here?

Speaker 3 (01:02:03):
I just think one of these days, what we have to be
able to do is share our screens,and then we'll just help you
build a firewall policy.
That's what we need to do.
What we need is for one ofthese episodes, instead of us
just being in action, and thenyou see it block that ping and
you see it allow that ping.
You're like, oh okay, thatmakes sense.

Speaker 1 (01:02:20):
Well, let's do that because I and then matt, I'll
let you go.
But there's some changeshappening in the show and we'll
talk about it some other time.
But we just had a nindo ontalking about evp, nbx land and
then I was speaking to himyesterday and he offered to come
on here and start teaching itand labbing in and going through
it.
So I kind of like the format ofhey, we talk about security
here, we're talking aboutfirewalls and then maybe do
either another shorter episodeor maybe a series of like all

(01:02:41):
right, let's build a policy,let's try to do some things A
little more technical content,maybe some labbing, and we can
take the concepts we talkedabout, make them real and make
them tangible.

Speaker 3 (01:02:50):
Learning with laptops .
If you're game for that Jeff.

Speaker 1 (01:02:53):
I'd love to, and, or Matt I, I'd love to do something
like that.
What were you going to say,matt?
I'm sorry to cut you off.

Speaker 2 (01:02:58):
I was going to say it sounds like a great CML episode
on how to use an ASA or how tobuild a DMZ, and why would you
build a DMZ?

Speaker 1 (01:03:06):
Awesome Guys.
Thank you so much.
This was informative andeducational to me.
This is my favorite part of theshow is I get to learn
something every time with somecool people joining.
On YouTube.
You can find all things Art ofNetwork Engineering on our
website,artofnetworkengineeringcom, but
we have a link tree, linktree,forward slash, Art of NetEng
which takes you to all thethings.
There's a merch store, there'sour website, there's all the

(01:03:26):
social media links.
What I like to point directpeople to every time we talk
about it is our Discord server.
It's all about the journey.
Discord server, Thousands ofpeople in there.
It's a community.
One's pretty much studyingsomething right, Because we work
in tech and it never ends andeverything's evolving.
If you don't have a community,I would recommend you get one.
What I love about this show andwhat became the Discord server
is it's the community I wish Ihad when I was coming up and

(01:03:49):
sitting in my cable guy truckand all the cable guys telling
me I was wasting my time, moneyand effort studying for my CCNAs
.
I to see all these people inthere lifting each other up,
helping each other out.
That's pretty much it.
Check it out.
Thank you very much and we'llsee you next time on the Art of
Network Engineering podcast.
Hey folks, if you like what youheard today, please subscribe
to our podcast and your favoritepodcatcher.

(01:04:09):
You can find us on socials atArt of NetEng, and you can visit
linktreecom forward slash Artof NetEng for links to all of
our content, including the A1merch store and our virtual
community on Discord called it'sAll About the Journey.
You can see our pretty faces onour YouTube channel named the
Art of Network Engineering.
That's youtubecom forward slashArt of NetEng.

(01:04:30):
Thanks for listening.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

Stuff You Should Know

Intentionally Disturbing

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Firewalls Are Friends

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

Stuff You Should Know

Intentionally Disturbing

All Episodes

Firewalls Are Friends

Dateline NBC