分享

此君在国内名头并不响，在Wiki上竟然也没有人立碑做传，我其实也是在知道PAN之后才听说这个家伙（当然无缘得见）。值此年根岁末，提前回家过节，于是花了一整天时间查资料，写一篇东西同大家共享。

Internet上关于此君新闻不少，有价值的不多，换句话说噪音很大，基本上找到如下东东：

1.学术论著

无。

看看此君自述“For the past 15 years, I have been heavily involved in the design and implementation of network security technologies for enterprise networks. ”

同弓总不同，此人是从完全从工程领域走出的英才。

2.Presentation

作品一篇“Next Generation Firewalls”

3.blog

几篇豆腐块文章，参照http://www.paloaltonetworks.com/researchcenter/author/nir-zuk/

4.Patent

4，5篇，涉及状态跟踪专利，high-availability，日志分析，Packet classification等

5.Interview

几篇，多是荷兰文和日文。天朝大国的娱记都跑到哪里去了？？

英文interview一篇：http://rationalsecurity.typepad.com/blog/2007/11/take5-episode-7.html

MP3一首，就是download不下来。

6.视频多篇

都在Youtube上面，本人看不了。不是本人想不出办法看，实在是遵纪守法良民，不去强求了。

言归正传首先看看此君的名头：

2005-today Founder and CTO at Palo Alto Networks
- Next Generation Firewall
2002-2005 CTO at NetScreen/Juniper
2000-2002 Founder and CTO at OneSecure
- World’s first Network IPS
1994-1999 Principal Engineer at Check Point Software

我等鼠辈，到头来顶多就是个Principal Engineer。人家刚出生就已经是了。大凡工程师都有个臭毛病，就是文人相轻，眼高于顶，只有老子才是对的，别人一概不服，至少是口服心不服。我的感觉是，可以不服老人家，但是对于DE，CTO，首席之类的一定要服，这个世界上确有工程人员千里挑一，可以写出神鬼莫测的code，架构出精妙绝伦的系统。因此，即使和N君从未谋面，看了简历我也心服口服了。

Nir的工程界的创新如下：

１.flow-based stateful-inspection firewall,

２.high-availability for firewalls

3.stateful-signatures for intrusion detection and prevention.

上述特性基本上都是现今各个公司的标准配置了，它们都是如此自然，以至于没有Nir，也必然会被如此这般的做出来。只是Nir出道后一直站在业界前端，得以有此成就。可以说Nir创造了历史，历史也成就了Nir。

看看自述“The depth and breadth of experience I have gained over the last two decades, combined with extensive interaction with thousands of customers, has given me a unique perspective on a variety of network security issues – both at the business level and the technology level.”

对于工程人员来说，最宝贵的是自身积累的研发经验以及对于客户需求的理解，这也是学术界绞尽脑汁也很难写出几篇RFC的原因。因此对于Nir的成功，很难复制，自身的功底和机遇并存。

另外对于，item 1。我查到了Checkpoint的专利。Nir并非第一作者。Nir本人说的明白“I helped create Stateful Inspection, the basis for virtually all network security devices today”.

工程技术往往是协作才能完成大的创新的。

现在我们又可以增加上第四个：

4.Next Generation FW

下面是此君的业界产品评论：

1.对于对手，如秋风扫落叶般的无情：

UTM is a jack of all trades but master of none, or as my good friend Laurent Daudre-Vignier puts it, UTM, and Fortinet specifically, is like a duck. It can fly, swim, walk, dive, tweet and lay eggs but cannot do any of these very well

2.对于老东家，恨铁不成钢

I am pissed off. I am hurt. I built a big part of the Check Point product and to see what a bunch of jerks have done to that company really hurts. Check out  “Check Point Revolutionizes Security with New Software Blade Architecture”. WTH? Are you kidding me? Do you think people are that dumb? Anyone with an IQ over 70 reading the press release will see immediately what it’s about. It is about a new licensing scheme. Check Point’s major innovation is a new freaking LICENSING SCHEME!!! This not only hurts to see. It’s sad. A former top innovator in network security has been spending the last 3 years of its research and development on a licensing scheme aimed at squeezing more money from its customer based. So sad. So sad.

3.对于Juniper青眼有加

There are, however, multifunction devices that have best of breed components in them. Juniper has integrated security devices which have a world-class firewall and a best-of-breed IPS (I built both…).

言语虽然不多，但是性格鲜明。传言，一般牛到Top level的技术人员都很和善。我觉得主要是没有奔头了，满大街都是小弟了，还有什么可以得瑟的。但是Nir似乎不是这样。其实能够做自己想做的事，说自己想说的话，就是一种成功。

以下是此君对技术趋势的评论

1.Proxy－based的安全方案

At one point, TIS excused its proxy’s limited market acceptance by saying Check Point had a better GUI and was easier to manage. I have a different perspective: Proxies have failed because they are hard to use and not because they are hard to manage. Putting a proxy on the network puts unnecessary restrictions on the business, as to what the Internet can be used for. With a proxy, the business is limited to using only the applications that the proxy supports. Consequently, a proxy limits the business instead of enabling it!

2.对于FW

But this time, Richard, I have to disagree with you. Putting a firewall and an IPS on the same box is not innovation. I did it as the CTO of NetScreen more than 6 years ago so it’s certainly not new. And even then it was not innovative.

To make a better firewall, one needs to change the firewall itself.

3.对于Web-base应用

There is a slightly more subtle implication, but to me a far more important one. Google and the likes of Google are establishing a direct relationship with the enterprise end user, bypassing the traditional IT-department controls over which applications are used and who can use them. The IT department only needs to provide the pipes. Google will take care of the rest. And speaking of pipes – that DS3 link you have isn’t big enough. It needs to be upgraded – quickly! Google needs you to have more bandwidth. With everything coming in on ports 80 and 443 to the browser, QoS doesn’t work. So, more bandwidth please.

以及其对于IT部门悲惨结局的预测：

1) Denial (our users are using these applications? Nah!);
2) Anger (our users are using these applications? WTF!);
3) Bargaining (hey, if you stop using these applications we will upgrade your computer);
4) Depression (I can’t believe our users are using these applicationsL);
5) Acceptance (fine, are users really using these applications – let’s deal with it).

4.对于应用识别

I think that a more important trend in network security today is the　move from port-centric to application-centric classificationtechnologies. This will make most of the existing products obsolete,similar to the way stateful inspection has made its predecessorsdisappear from the world…

５.对于网络处理器和通用CPU的性能对比

【本人这方面是菜鸟，听后大感意外，原来Intel CPU这么囧】

Intel CPUs are very good at crunching numbers, running Excelspreadsheets and for playing high-end 3D games. They are not so good athandling packets. For example, the newest quad core Intel CPU canhandle, maybe, 1,500,000 packets per second which amounts to about 1Gbps with small packets. A single network processor, such as the one ofmany that we have in the PA-4000 series, can handle 10 times that -15,000,000 packets per second. Vendors that claim 10 Gbps throughputwith Intel CPUs, do so with large packet sizes which do not representthe real world.

6.对于IPS/IDS产品评价的一些看法

【兄弟深以为然】

As for the IDS/IPS functionality in the PA-4000 productline, it is providing full context for the IDS/IPS signatures for betteraccuracy but the most important reason as to why the PA-4000 productshave better accuracy is because Palo Alto Networks is not a pure IPSvendor and therefore does not need to play the “who has more signatures”game which leads to competing products having thousands of uselesssignatures that only create false positives.

总之我个人喜欢这样人的性格，率性。

我天朝大国，网络安全人士多如牛毛。前几个月，微软公布的安全漏洞尽数被我国民揽入怀中。绿盟和启明星辰在这方面贡献良多。但细想一下，相关牛人多为逆向专家，通俗的说是搞爆破的。对于系统正向架构的人才，很少听到国民扬名海外。Nir就是此中高手。

高中数学老师曾经教训本人“纵使清云无雨色，入云深处亦沾衣”.

兄弟虽然愚钝，但也要好好学习，天天向上，见贤思齐吧:-)

分享