Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Fri, 26 May 2006 09:51:17 -0400
At 09:00 AM 26/05/2006, Paul D. Robertson wrote:
On Thu, 25 May 2006, Chris Blask wrote:o The best gadget in the world is no good if the maker doesn't survive to support it.Sure it is. The vendor isn't the only choice for support, and if it's good enough to be the best, it shouldn't *need* regular support.
I don't believe in static security. If something was good enough to be best it would still be imperfect. The "vendor" could be the open source community, in which case the source is there for everyone to support, but a great product from a dead or badly-acquired company can be worse than useless.
o Another analog to twist would be: a bunch of talented and enthusiastic guerillas may be good at the start of a conflict, but when it gets really serious you'll be unhappy if you are not the one with the integrated weapons platform...1. You're comparing apples and oranges, soldiers against weapons. 2. With the right guerilla force, the shiny new expensive platform is already useless by the time you deploy it *if it even makes sense for the conflict you're in rather than the last conflict that happened when the weapons platform makers all got their contracts.
Analogies are never very accurate (my favorite quote from an English teacher in HS: "There is no such thing as a synonym"). However, to pursue the military analogy:
History is full of tales of the vanquished who've felt their superior large-scale do-everything weapons could win. That's one of the reasons the US strategy to go to small light and mobile divisions is interesting- it's a step away from the tradional "bigger, more" philosophy of multi-billion dollar pork projects and Congress forcing the purchase of ineffective integrated weapons platforms.
o The reason the US military can sucessfully use "small and light" tactics today is that they have an integrated weapons platform. Robust standardized components tested to death (pun) interoperate in well defined ways, and small changes are enormously vetted before being released to the battlefield. Inventing new guns that take new bullets and are given to soldiers with new communications systems that use new protocols to sync up with new command structures that analyze data in new ways and provide tactical feedback in new schemas - well, that just wouldn't work real well. "Small and Light" in the US military context is only possible because they have developed "Huge and Heavy" amounts of testing and experience. Of course, "small and light" can also be "we're just making this sh*t up as we go along and don't mind dying", sometimes introducing the surprising successes of randomization. Ironically, by the time a new technique discovered that way becomes wide-spread, it often loses the characteristics of surprise and flexibility that makes it successfull. In infosec today we are coining terms and creating methods on a daily basis - this is not a mature area of endeavor. When it is a mature space, we will have much more "integrated" "weapons platforms", whether single-vendor or standards-based. -cheers! -chris
Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 25)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Oliver Humpage (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 29)