cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Unified policy - how is that connection really handled?

OK, so in R80 we have this deal where we have a rule match by committee where the CMI, protocol parsers and pattern matchers are all looking at the rulebase column-by-column to build their array of "candidate rules" 

BUT - they need to let some of that traffic run in some cases to get enough info about it before making a decision.  So, what I start to wonder is how much, if any, of this "sample traffic" is let through before the connection is shut down?  Does the gateway keep it in some kind of queue pending the final policy decision or does some of that traffic actually transit the gateway prior to that decision being made? 

0 Kudos
3 Replies
Admin
Admin

Re: Unified policy - how is that connection really handled?

Generally speaking, we have to let the traffic through until a determination has been made.

The amount depends on what applications you've configured in your policy.

See also: http://phoneboy.org/2016/12/14/which-comes-first-the-ports-or-the-application-id/ 

0 Kudos
Highlighted

Re: Unified policy - how is that connection really handled?

Yeah, and I am now up to speed on the little warning that comes with protocol inspection.  You know, it seems to me that sandboxing connections before releasing them would be in order.  Those few packets coming through prior to making the call on whether or not to drop makes me a little nervous. Of course, it's better than no layer 7 inspection at all, but these days I imagine crackists focusing on using those few initial packets to do... something bad.  In the old CVP days, we'd vector the whole file, scrub it and then release it.  Wondering why we can't do that with the first few packets vectored into a vm to make sure it's all good before opening the gate. 

BTW, nice to see your new site.  (New to me - it's been a loooong time since I've looked at phoneboy.) 

0 Kudos
Admin
Admin

Re: Unified policy - how is that connection really handled?

This is why you should not allow all traffic on all ports to all destinations...to minimize the risk somewhat Smiley Happy

To be fair, phoneboy.com has been around for quite some time, though it's purpose has evolved quite a bit over the 20+ years I've had 

When I started writing more about cyber security again, I decided to fork that content to a different site focused on that topic (phoneboy.org)

Now, I'm focusing my energy here Smiley Happy