Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
3754 posts

Uber Geek
+1 received by user: 2222

Trusted
Lifetime subscriber

  # 1754889 3-Apr-2017 16:54
Send private message

Thanks Scott, that's great responsiveness. 

 

Apologies for being a bit terse, I was a tad tired and grumpy last night. 





Information wants to be free. The Net interprets censorship as damage and routes around it.


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1756032 3-Apr-2017 22:00
Send private message

ScottNoakes:

 

and delivers enterprise grade features.

 

 

 

 

Hi Scott, don't mean to be rude. But that is a pretty bold statement. I've had a look at your demo site, your product looks nice. But my job for the last 18 years has been working with enterprise firewalls (Palo Alto Networks, Checkpoint, Cisco, Fortigate, Sonicwall, Sidewinder, Juniper etc). Certainly some of the features are interesting for school integration, but I'm not sure I would through it on the Enterprise pile? Even for SMB class (going by Gartners standards which is for up to 2000 users).

 

 

 

I would add I've rewritten this a dozen times trying not to come across as a complete tosser :)


 
 
 
 




20 posts

Geek
+1 received by user: 10

Linewize

  # 1756184 4-Apr-2017 10:56
One person supports this post
Send private message

 

Hi Scott, don't mean to be rude. But that is a pretty bold statement. I've had a look at your demo site, your product looks nice. But my job for the last 18 years has been working with enterprise firewalls (Palo Alto Networks, Checkpoint, Cisco, Fortigate, Sonicwall, Sidewinder, Juniper etc). Certainly some of the features are interesting for school integration, but I'm not sure I would through it on the Enterprise pile? Even for SMB class (going by Gartners standards which is for up to 2000 users). 

 

I would add I've rewritten this a dozen times trying not to come across as a complete tosser :)

 

 

Hi Vulcanz. Thanks for your comment, and rewrites, not rude at all. Ok so yes there's some hyperbole around "Enterprise grade" on my part. We do offer the following functionality which I'd place in that category:

 

  • Cloud management.
  • Network traffic reporting and analytics on every connection. (by user, device, group, dest IP, etc)
  • Layer 7 application signature based filtering, routing and QOS (user, device, group, app, etc.)
  • Stateful L2TP/IPsec VPN remote access (if you've every tried to diagnose a broken Fortinet VPN access you'll understand)
  • Integration with Google directory, Azure AD, AD, RAS, WMI etc.
  • Automated remote firmware updates on a weekly basis. 

A number of these features are not offered by any other OS firewall. We do the access and content filtering management on networks with many thousand devices (schools are good for that). We think we're doing something pretty interesting here.

 

What we're not doing is trying to have a pissing competition around the UTM aspect with traditional vendors. We'll never win that. What we do see as an opportunity is to offer best in class Unified Access Management, controlling who can get onto the network and what can they do there. Hence the large proportion of Lyr2 bridge installs augmenting a traditional UTM firewall.

 

Also I'd argue that as more local networks become cloud centric and devices become mobile there's not much local infrastructure left to defend, so hard to justify the expense of a traditional UTM. Mobile devices connecting to a host of WiFi networks means that security responsibility is shifting to the OS. Schools certainly lead this trend ahead of SMB's due to the cost benefits of being all-in to cloud services.

 

Why we think we can pull this off is due to the availability of low cost, high quality, commodity hardware with massive CPU power (or VM install), combined with offloading analytical data and management into the cloud. The infrastructure required to offer network access as a service has never been so affordable.

 

I'd be curious to know your response to the above thoughts. We may just be blowing smoke up our own arses. :) It may be that I am the complete tosser here. ;)

 

Cheers Scott.


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1756248 4-Apr-2017 12:23
Send private message

ScottNoakes:

 

I'd be curious to know your response to the above thoughts. We may just be blowing smoke up our own arses. :) It may be that I am the complete tosser here. ;)

 

Cheers Scott.

 

 

OK well here goes..

 

Cloud management is common these days, network traffic reports is old hat (including layer 7 by user etc). Layer 7 has been around since early 2000s (if you don't count the Sidewinders 'proxy everything' mentality). I've diagnosed many VPNs, Fortinets aren't my favourite but their VPN is fine. LDAP/AD integration is old hat, social media auth is not rare either. Automated firmware updates would land in the "are you crazy?" category for any decent size organization.

 

BYOD is not hard to handle now with most platforms supporting RAIDUS Accounting + Social Media auth for a couple of years.

 

I also work with firewalls in many schools.

 

All the high performance boxes use specialist processors (PAN use a combo of ASICS/Caviums, Sonicwall use Caviums, Forti/Juniper use ASICs). These often accelerate packet inspection, SSL encrypt/decrypt, IPSEC and other features. Anything x64/x86 based can never come close to these in performance. Some I am extremely wary of bold performance claims around VM based firewalls.

 

Looking at your demo I will list what I 'missed' as the features may be under the hood somewhere:

 

 - SSL decryption (must have IMHO, looking at cert headers is not good enough)

 

 - IPS (snort IDS is not enough)

 

 - GatewayAV with some sort of NGAV/ATP/sandbox scanning

 

 - Flood + DoS + DDoS protection

 

 - Connection limiting

 

 - IPv6

 

 - High Availability

 

 - SSL based client VPN

 

 

 

 

 

Not features but:

 

 - independent certification (e.g. ISCA)

 

 - independent testing (maybe something like Ixia and Spirent Mu tests)

 

Also information on how your stateful and Layer 7 engines handle evasion techniques, is the layer 7 engine proxy based or flow/stream based (how does it handle out of sequence packets etc, does it have any memory limitations).

 

So far the only unique offering is the teacher management capability - although there are a couple of products out of Aussie that do this (Cyberhound and something else I cannot remember the name of) - I would class them as proxy servers but they do try and sell themselves as firewalls. But that feature is purely a school feature.

 

I would also note that "means that security responsibility is shifting to the OS" is a given. I find this an annoying statement often used to lesson the expectation of network security. Security should be defense in depth, a multilayer approach. This should include security on the OS/device AND security on the network. It is not hard to do.




20 posts

Geek
+1 received by user: 10

Linewize

  # 1756460 4-Apr-2017 17:40
Send private message

 

 

Cloud management is common these days, network traffic reports is old hat (including layer 7 by user etc). Layer 7 has been around since early 2000s (if you don't count the Sidewinders 'proxy everything' mentality). I've diagnosed many VPNs, Fortinets aren't my favourite but their VPN is fine. LDAP/AD integration is old hat, social media auth is not rare either. Automated firmware updates would land in the "are you crazy?" category for any decent size organization.

 

 

From what we've seen Meraki is the only vendor that have got cloud management nailed. Our experience in schools is that while vendors say they do integration well, the reality is quite different. We've replaced Sonicwalls (integration not great), Fortinets (reporting not great), Watchguards (authentication not great) and others. Part of the reason for this is that we leave the firewall and network in the hands of the network admin but allow non-techies to manage filtering and access reporting dynamically online rather than via static reports. It seems to be working so far... Separately we've spent a heap of effort in engineering a bulletproof remote update process that allows us to develop and deploy new features quickly.

 

 

BYOD is not hard to handle now with most platforms supporting RAIDUS Accounting + Social Media auth for a couple of years.

 

 

I guess we take this even further with Chrome extensions that automatically authenticate users on networks and allow off-school-network filtering for school owned Chromebooks. In schools there's a big difference between ticking a feature box and actually making this functionality serve an education environment.

 

 

All the high performance boxes use specialist processors (PAN use a combo of ASICS/Caviums, Sonicwall use Caviums, Forti/Juniper use ASICs). These often accelerate packet inspection, SSL encrypt/decrypt, IPSEC and other features. Anything x64/x86 based can never come close to these in performance. Some I am extremely wary of bold performance claims around VM based firewalls.

 

 

My view on this is that CPU processing power is increasing faster than useful bandwidth. Custom engineering is always going to give the best performance but in most practical situations such performance is not required. Almost feels like 'this is what we've always done so we'll keep doing it.' 

 

 

Looking at your demo I will list what I 'missed' as the features may be under the hood somewhere: - SSL decryption (must have IMHO, looking at cert headers is not good enough) - IPS (snort IDS is not enough) - GatewayAV with some sort of NGAV/ATP/sandbox scanning - Flood + DoS + DDoS protection - Connection limiting - IPv6 - High Availability - SSL based client VPN

 

 

Will quickly run through these things, SSL - we don't think teaching kids to install root certs on their devices is a good idea, if we have to do this will be done in the cloud, many schools detest this idea. IPS - for the moment we don't have enough resource to pursue this, longer term interesting things can be done cloud side. AV - you're right on this one, this is an enterprise feature, however our target market (schools) do not require or expect their firewall to contain this functionality, however something could easily be done around this in future. DDos - have some upcoming plans around this. IPV6 - its on the roadmap. High availability - for the moment via VMWare Vmotion which is a spectacular technology. SSL client VPN - while possibly considered more secure, the hassle of needing a 3rd party client to connect makes this a difficult justification when L2TP/IPSec VPNs are secure and supported by everyone natively.

 

 

Not features but: - independent certification (e.g. ISCA) - independent testing (maybe something like Ixia and Spirent Mu tests) Also information on how your stateful and Layer 7 engines handle evasion techniques, is the layer 7 engine proxy based or flow/stream based (how does it handle out of sequence packets etc, does it have any memory limitations).

 

 

Would love to do independent certification but this is expensive.

 

 

So far the only unique offering is the teacher management capability - although there are a couple of products out of Aussie that do this (Cyberhound and something else I cannot remember the name of) - I would class them as proxy servers but they do try and sell themselves as firewalls. But that feature is purely a school feature.

 

 

There's a bunch out there, either proxy servers or client based, both have their flaws, we reckon a hybrid firewall/client approach that provides the best of both worlds. We view our competition as Lightspeed Systems, GoGuardian and Securly amongst many others. We went to ISTE in Denver last year and found we measure up really well, validated by replacing Lightspeed in a US district and they're super happy.

 

 

I would also note that "means that security responsibility is shifting to the OS" is a given. I find this an annoying statement often used to lesson the expectation of network security. Security should be defense in depth, a multilayer approach. This should include security on the OS/device AND security on the network. It is not hard to do.

 

 

Absolutely. Security measures should reflect the 'value' of what is being protected. With local IT being replaced by cloud services I'd argue the 'value' is dropping quickly. Most schools we work with want an 'All cloud' future because the cost benefits are so compelling.

 

 

 

Thanks for your comments, great to get your perspective, please call me out where you think our reasoning is wrong.  As said there's some hyperbole in my comment, but I'd still argue there's no other OS firewall out there that offers some of these features, hence they are 'Enterprise' specific, but yes thats not our market and we don't intend it to be. 

 


3754 posts

Uber Geek
+1 received by user: 2222

Trusted
Lifetime subscriber

  # 1756470 4-Apr-2017 18:13
Send private message

SSL/TLS interception is a bit of a double edged sword. _Personally_ I'm vehemently opposed to it, and I'm currently fighting a valiant but ultimately doomed attempt to stop it being implemented at work. Managers will always want to know what staff are doing with a work provided internet connection and don't care if it makes said connection horribly insecure. 

 

 

 

 

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


2567 posts

Uber Geek
+1 received by user: 765

Trusted
Lifetime subscriber

  # 1756520 4-Apr-2017 19:19
Send private message

What self-install pricing options are there for Surfwize for use outside of the education sector?  For example, use at home or in a commercial environment?





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 
 
 
 


925 posts

Ultimate Geek
+1 received by user: 291


  # 1756595 4-Apr-2017 20:36
Send private message

vulcannz:

 

ScottNoakes:

 

I'd be curious to know your response to the above thoughts. We may just be blowing smoke up our own arses. :) It may be that I am the complete tosser here. ;)

 

Cheers Scott.

 

 

OK well here goes..

 

Cloud management is common these days, network traffic reports is old hat (including layer 7 by user etc). Layer 7 has been around since early 2000s (if you don't count the Sidewinders 'proxy everything' mentality). I've diagnosed many VPNs, Fortinets aren't my favourite but their VPN is fine. LDAP/AD integration is old hat, social media auth is not rare either. Automated firmware updates would land in the "are you crazy?" category for any decent size organization.

 

BYOD is not hard to handle now with most platforms supporting RAIDUS Accounting + Social Media auth for a couple of years.

 

I also work with firewalls in many schools.

 

All the high performance boxes use specialist processors (PAN use a combo of ASICS/Caviums, Sonicwall use Caviums, Forti/Juniper use ASICs). These often accelerate packet inspection, SSL encrypt/decrypt, IPSEC and other features. Anything x64/x86 based can never come close to these in performance. Some I am extremely wary of bold performance claims around VM based firewalls.

 

 

Old news, I'm afraid.  The days of ASICs at the low end are numbered.  Snabb Switch can saturate 10GigE on commodity x86 hardware.  Look at the performance, not how it's obtained.  Running anything in a VM rather than on bare metal will impact performance, of course.

 

And remember, Linewize product is aiming at schools/etc, they're not trying to pass 10 gigabits of traffic on an Atom.


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1756765 5-Apr-2017 08:21
Send private message

deadlyllama:

 

Old news, I'm afraid.  The days of ASICs at the low end are numbered.  Snabb Switch can saturate 10GigE on commodity x86 hardware.  Look at the performance, not how it's obtained.  Running anything in a VM rather than on bare metal will impact performance, of course.

 

And remember, Linewize product is aiming at schools/etc, they're not trying to pass 10 gigabits of traffic on an Atom.

 

 

 

 

Sure if you want to do fast network pathing. But we're talking packet inspection accelerators, SSL packet decryption, IPSEC acceleration and many other things done on specialist hardware. Schools are anything up to a couple of thousand students, with several thousand devices, on a Gbps circuit.


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1756791 5-Apr-2017 08:44
Send private message

ScottNoakes:

 

Stuff

 

 

 

 

I've seen every firewall vendor replaced for all sorts of reasons. For each of those vendors I could argue the points til the cows come home. Quite often it doesn't always mean they're bad at what they do. For example I know of one vendor where updates are causing major issues, and the platform is seen as a bottleneck. As I said no device is perfect.

 

Device content filtering is not new, Sonicwall have had this for many years (Chromebooks, Windows, Mac OS).

 

Performance can be a security issue, you don't want your network to choke because you cannot meet the throughput numbers. That is effectively a self served DoS. Currently you don't seem to do IPS/SSL-Decrypt/or GAV. What happens when you start doing that stuff? In every case I've seen a firewall translated from a hardware accelerated device to a VM the performance loss has been massive. All the schools I've talked to required IPS, we saw several schools get hacked last year and some of those were via compromised web servers (despite some claiming it was weak passwords) - not to mention the client side protections IPS brings (AV does not help protect against network attacks).

 

From what I can tell your not a zone based solution (correct me if I'm wrong). So yet another point where if added performance will suffer more.

 

SSL VPN is a nice to have due to the challenges with IPSEC on some networks (especially mobile, CGNAT etc). There are many places you can go where IPSEC just doesn't work.

 

SSL Decrypt is a necessity. Without it you cannot do accurate web filtering or app control, and you cannot protect the client device from attacks (e.g. against browsers, plugins like flash, even client side AV has been attacked recently). When the software guys can put their hands on their hearts and say 100% there are no flaws in vulnerabilities in their software then maybe we can get ride of it - but if you believe them I have a bridge to sell you.

 

Sure independent testing and certification is expensive, but if you want to have a horse in the race that is a common requirement.

 

So in summary, a lot of things you have said make some sense for schools, but I think the product is far from being a firewall replacement against the usual vendors. Performance is alright compared to other x86 based firewalls, but this is likely due to many of the missing features. Remember this is not just about schools, you put your product here as a firewall that delivers enterprise features.

 

FWIW I enjoy this as a learning experience. You don't learn much from spec sheets and powerpoint slides. As I said I'm certified on a crapload of network security products and regularly use them in anger. I'm always interested to see what innovations products bring and how they measure up. I hope you take my 'criticisms' as more of a roadmap to potential features.

 

 

 

 

 

 


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1756793 5-Apr-2017 08:46
Send private message

Lias:

 

SSL/TLS interception is a bit of a double edged sword. _Personally_ I'm vehemently opposed to it, and I'm currently fighting a valiant but ultimately doomed attempt to stop it being implemented at work. Managers will always want to know what staff are doing with a work provided internet connection and don't care if it makes said connection horribly insecure. 

 

 

 

 

 

Unfortunately it is needed, both from a securing the client and monitoring the client point of view. I don't see how it makes the connection horribly insecure unless you're using something really crappy. The systems I normally use typically offer better ciphers than the client browsers do, and can exclude sensitive websites quite easily (e.g. banking). 


3754 posts

Uber Geek
+1 received by user: 2222

Trusted
Lifetime subscriber

  # 1756888 5-Apr-2017 11:16
Send private message

vulcannz:

 

Lias:

 

SSL/TLS interception is a bit of a double edged sword. _Personally_ I'm vehemently opposed to it, and I'm currently fighting a valiant but ultimately doomed attempt to stop it being implemented at work. Managers will always want to know what staff are doing with a work provided internet connection and don't care if it makes said connection horribly insecure. 

 

 

 

 

As per https://www.thesslstore.com/blog/https-interception-harming-security/ plenty of implementations are horribly flawed, and that's without even considering the privacy aspects. 

 

The sooner someone far smarter than me comes up with a way of encrypting web traffic in a way that outright prevents MITM attacks the better. 

 

 





Information wants to be free. The Net interprets censorship as damage and routes around it.


436 posts

Ultimate Geek
+1 received by user: 145
Inactive user


  # 1757084 5-Apr-2017 15:03
Send private message

Lias:

 

vulcannz:

 

Lias:

 

SSL/TLS interception is a bit of a double edged sword. _Personally_ I'm vehemently opposed to it, and I'm currently fighting a valiant but ultimately doomed attempt to stop it being implemented at work. Managers will always want to know what staff are doing with a work provided internet connection and don't care if it makes said connection horribly insecure. 

 

 

 

 

As per https://www.thesslstore.com/blog/https-interception-harming-security/ plenty of implementations are horribly flawed, and that's without even considering the privacy aspects. 

 

The sooner someone far smarter than me comes up with a way of encrypting web traffic in a way that outright prevents MITM attacks the better. 

 

 

 

 

 

 

Only 1 out of the top 4 SSL decrypting products I would rate is on that list (Bluecoat). So that list is very meh.

 

How are you going to protect your device from attack if you have no MITM? Do you think there is some magical perfect browser available that is invulnerable to attack?

 

 

 

If you don't like MITM then no one is forcing you to use your work internet for anything but work related tasks.




20 posts

Geek
+1 received by user: 10

Linewize

  # 1757252 5-Apr-2017 19:41
Send private message

 

What self-install pricing options are there for Surfwize for use outside of the education sector?  For example, use at home or in a commercial environment?

 

 

Hi Dynamic, residential users are welcome to use the service for free, but you'd have to be able to provision it yourself on your own hardware. We don't have the resources to support residential customers, in some distant future we'd rather provision services from within ISP datacentre and use existing CPE to GRE tunnel network traffic to the DC.

 

We do have commercial customers and do a good job of replacing a proxy based solution such as Webmarshal. If you email me at scott.noakes@linewize.com I can forward the business pricing. Its not our focus but the product works equally well in that environment. 




20 posts

Geek
+1 received by user: 10

Linewize

  # 1757260 5-Apr-2017 20:20
Send private message

 

VulcanNZ:

 

Stuff reply

 

 

"For example I know of one vendor where updates are causing major issues, and the platform is seen as a bottleneck." :) I'm assuming you may mean Linewize here. I'll admit we've had our issues, but I do believe we've come out the other side of this. We are susceptible to network loops on poorly configured networks, but we do a lot of gratis work with schools to isolate and fix such issues. Mis-configuration in the past has caused throughput issues, such as attempting to display a redirect page for every facebook request, we've improved our GUI to prevent such things, one of the challenges we face in making filtering self-management easy for non-techs.

 

In regards to performance we monitor CPU load and upgrade schools who need a more powerful appliance, its part of the service. Yes moving into more processor intensive features will take a hit but we think there's a number of aspects that can be dealt with more effectively cloud side. As said before we don't expect to be able to compete with billion dollar companies, we see our value elsewhere.

 

 

 

From my understanding of zone based firewalls already support this, our routing rulesets are very flexible and object based, our objects can use any network criteria.

 

So far the lack of SSL VPN has not proved a barrier, again likely specific to our target market. SSL decrypt is an ongoing discussion point here, we've chosen to avoid the UK market where legislation mandates that all schools provide an active response to any social media that could be interpreted as harmful,  apparently "I'm catching the bus at 4." is a euphemism for committing suicide and needs an active intervention, sounds a bit 1984 to me. Google and co are making noises about preventing such MITM approaches. 

 

 

 

I enjoy this as a learning experience too, thanks for your insight, it helps guide where we take this product, there's always a ton of interesting possibilities that get tossed about, one example remotely managing firewalls on shipping vessels where satellite overage charges are a killer and when in port route via the GSM network. Your comments are certainly not taken as criticism, more as guidance and a reality check for my enthusiasm. :)


1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.