[Scorpiion]

This reminds me of Google clouds built in network firewall[1], which is just called "Google Cloud Firewalls". One difference is that Googles firewall capabilities are built in and part of the platform, no extra service or fees. Just thought it could be an interesting reference for people not so used to GCP.

[1] https://cloud.google.com/firewalls

[new23d]

GCP's built-in firewalling capabilities are quite basic and on par with AWS' Security Groups and NACLs. This new offering is Suricata backed which offers much more sophisticated packet inspection, and is probably built off their recently launched Gateway Load Balancer tech [1].

A key difference is that third-party appliances, and now with Suricata, hostname based (rather than IP addresses) filtering can be applied at the VPC level. This isn't possible in GCP's native offerings.

Disclaimer: I should add that I work for a third-party firewall appliance company myself so have been looking at these developments with a lot of interest.

Although a deep-dive analysis is pending on my side, on the face of it this would seem a security-lite offering as another hacker on this thread has put it. If one were to consider what protocols are supported for hostname based filtering, what depth of checks are run, how ECH/ESNI is handled, and at what level of granularity policies can be attached to individual applications, the offering is a bit underwhelming to say the least. Compare that to our product [2] (on AWS and GCP), and ours is more straightforward to deploy, incorporates the best protocol level decisions already, and has a closer association with individual applications. (You basically stick in the protocol and hostname (even for SSH) in the description field of each Security Group or Firewall Rule.)

[1] https://aws.amazon.com/blogs/aws/introducing-aws-gateway-loa... [2] https://chasersystems.com/