Re: Proxies, opensource and the general market: what's wrong with us?

["Marcus J. Ranum" <mjr () ranum com>]

Anton Chuvakin wrote:
> In ArkanoiD's insightful rant, I am hearing "open source security
> tools are dead." Is that really so? I doubt it - and here is why: I
> think a lot of use cases for OSS sec tools are being dismissed by the
> rant author as "cheapo crap." In reality, "cheapo crap" means "used by
> everybody else but F1000"

The problem is that's where the money is. And PCI and other
audit standards are going to exacerbate the problem. The
market has shifted away from do-it-yourself to checkbox
security in a big way, and that means that the OSS products
pretty much are left to appeal to the customer who has no money,
i.e: is not interesting to the vendors.

I agree with you that it's not necessarily "crap" but OSS
generally means "free" which also means that one or two
OSS solutions suck all the oxygen out of the bottom of the
market - while the commercial offerings dominate the middle
and the top. If you get into a feature war with a commercial
product that has 20 engineers working on it, full-time, you
are not going to win if you're a typical OSS project. That
is especially the case with firewalls. It's one thing to
write a bunch of software that's going to run in *BSD or
whatever, but the commercial competition is using Cavium
processors on custom mother-boards with crypto accellerators
and regex in silicon. To play where the commercial bandwidth
is, you need a couple million bucks - at a minimum - just
to tool up enough to start developing a product, let alone
bring it to market.

Back in the day, customers always tortured me about
bandwidth through the firewall - even though, at that
time, nobody actually knew what they were pushing; they
just needed a promise that it was faster than it could
possibly be. OSS by its nature appeals to people that
won't just believe a sales brochure that says "it'll
handle 20 jillion wossnames/sec!" but the commercial
market is now acclimated to exactly that. It's a cultural
divide that's only deepening and will get much deeper
still in the coming years.

Where I still have some hope is the "advanced persistent
threats yadda yadda" is slowly cluing people in to the fact
that you CANNOT escape without knowing what's going on
in your network. Looking for command and control is
the next IDS and antivirus signatures everywhere game
but the survivors are already looking at how to parse
their networks apart, logically, to improve analysis
of traffic and to figure out how to leverage configuration
management and change detection to identify machines
that are infected. There won't BE a one size fits all
technology for that (though many things will be sold
as exactly that) because it's got to be specific to your
network, and - at its core - knowledge based on facts
you know about how your network should behave. In other
words a move away from "misbehavioral" based anomaly
detection toward "goodbehavioral" based analysis. There
will be a market for building tools for such purposes
but, again, they'll have to handle skull-popping
amounts of data at really high speeds. I don't see OSS
working in that space unless someone makes an OSS
network processor-based applications framework that
includes hardware. No vendor will do that because they
don't care about some OSS project; they want to sell
to Cisco or Palo Alto or whoever.

The short form of all that is that I think the security
market has matured, financially, if not technologically.
The do-it-yourselfers are fewer and fewer and I guess
we're kind of like steampunks: longing for technology
of yesteryear where we forget today how much we hated
it then.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenable.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards