Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Magosányi Árpád <mag () magwas rulez org>
Date: Tue, 26 Apr 2011 10:17:10 +0200
Dear Ark, I am in the position that I see both the open and closed source market, both from a vendor's and the enterprise perspective. And I see this: 1. Enterprise firewall is just an item on the checklist to be ticked, because auditors want it. What the CIO wants that they should have a big name, low TCO, and don't get into the way of traffic. And there is no one who could tell him why the enterprise needs real firewalls, because 2. honestly no one have a clue. a) Yes, they might have a faint idea about domain separation, and that's all. Try to talk to a "firewall expert" about information flow control policy, Bell-LaPadula and Clark-Wilson model, interdependences of security functions in an enterprise, Trusted Network Interpretation. You will see glassy eyes. They haven't even heard about the concept of crystal box. The log analysis expert haven't heard about Artificial Ignorance in his whole profession. Ridiculous. (Of course this is not true to the readers of this list, but this is what I am seeing daily out in the wild.) b) An application level firewall is an inherently complex beast. We see firewall operators struggling to catch the concepts behind Zorp. An average firewall operator needs a week of hands-on training. Of course fwtk is simpler, you just need a competent unix and network administrator to use that, which is also in shortage in these days, especially in this combination. While with a simple software it is possible to drive marketing with the open source version, application level firewall is not that category. (Honestly for a long time we did not do anything with syslog-ng beyond some occasional bug fixing and playing around with it in free time. And suddenly companies started to ask whether they can pay us money for it. Sure:) 3. Actually using real firewalls meaningfully needs a level of maturity which very few enterprises possess. a) As we all know, the firewall operator is the one who should chase down programming bugs at the end of the day simply because s/he is in the position to see all parts of the puzzle. It is a big burden, and easier just to allow anything through than make a real solution. And the one who should solve the problem is not the firewall operator. You need a very strong exception management procedure to handle only that aspect (ITIL as used today is just not enough for this). And we were talking about only simple breaches of the protocol. It happens everywhere, the http proxy to the outer world is being a prominent example of how impossible this mission could get. b) Now let's talk about the cases when you need more than check for protocol compliance. The first question is: how will you identify the security function you have to implement in the firewall? The answer is easy: from the design documentation of the system protected. So you first need meaningful design documentation (mission impossible one), a security assessment of that on a meaningful level (mission impossible two), and a good procedure to turn the security problems of the protected system to requirements against the environment. This needs a strong enterprise architecture (mission impossible #3 because of COTS products), and very high procedural maturity. 4. We have a IT governance model out there which most enterprises do. The most important part of it that (licence) fees and actual work done have nothing to do with each other. In most enterprises you cannot just deploy an open source solution. To be able to do this, it should be rebranded to have a "Oracle" label on it :) Seriously: open source based IT governance is something you and me might know how should be done, but IT managers have yet to learn. In the meantime you have two ways: you are either a system integrator, and introduce open source as part of the integration activities to support functionality of braindead broken COTS software, or you create a "paying" version of the open source one. Enterprises are very happy to buy paying syslog-ng and Zorp for heaps of money when they use only the GPL features. They just cannot think out of the box. Unfortunately with this governance attitude one have to be very creative to be able to come up with a business model which is suited to the GPL side. Because open source is about community, and reaching critical mass is very hard, especially if you come with a niché product aimed at the enterprise. This is a feat neither FWTK nor Zorp have been able to reach. You should live with the fact that people are people, and several downloads daily are not enough to start the chain reaction. (I am now trying to persuade my friends to go for a business model for our Zorp product lines (pro and GPL) which is more aligned with what we are actually doing. But they also have picked up some bad habits in the passing years, so we will see.) 5. Complex software aimed at the enterprise is not about features, or at least not the way one would think of it at first. Take a good look at SAP. Honestly, I think that their software is crap from ancient times. But they deliver it professionally, the main point is beeing procedures. Because what enterprises are struggling with is not quality of software: they have learned to live with bad software (this is why they need firewalls at the first place), actually they have never had the opportunity to use anything actually useable: there is simply no software out there which would cover the needs of a complex enterprise. Their main problem is how to run their procedures in a less suboptimal way than they are doing today. And SAP is helping them in this: they are given business procedures and IT support procedures. Those are not the best ones, and they are paying orbital amounts for it, but at least there is a clear recipe which the enterprise can follow. Or take a look at Oracle AIA, the most exorbitantly priced component of the SOA suite: it is not much more than a set of configurations, some of them directly going against the SOA principles. But there is an enterprise data model in it. Not a good one, again, at least not aligned with the sector I am mostly working for. But I see enterprises dumping a lot of work to jump on the AIA bandwagon. They got something which they can follow without thinking much, and they don't care about some small misalignments: they have learned to live with it long ago. And they cannot afford to have a solution which needs much thinking: you can build a small company on a handful of brilliant people, but enterprises are run by Average Joes. So offering a product with features to the enterprise is a bad move. You should give them a solution to some problem that hurts, and it should be dead simple. We have lost at this point forever:) 6. The world is changing. This means that new buzzwords coming up, followed dutifully by the market. Fortunately new buzzwords usually mean the same old things. Those ideas which have been too immature 20 years ago, reemerge later in a different name and shape. You are looking for application level firewall? Look at "xml firewall" and "SOA firewall". They are out there. Yes, they are specialized into a very tiny subset of the problem space (and the rest is still uncovered), but maybe that is the most important part anyway. I am also seeing labeling and information flow control gaining momentum. You should be very familiar with both TNI and the modern enterprise architecture to catch a glimpse of it, but it is there and growing. And our profession is changing, too. In the good old days when fwtk have born, we were some kind of unix people. Then we became network people. Now I would say that firewalls are about architecture. And they never be the same again. As a summary, open source application level firewalls have two serious problems. One is that open source aimed at the enterprise is not a good bet right now. I think it will change (there is progress), but we need years for that. The other that application level firewalls as you and me think about them are practically dead right now. No problem, it is still - and ever be - a niché on which we can feed some tens of programmers, but if you want to get out from that dead-end, you have to have a good bet on where the industry will go, and play it. (I have my bet, BTW.) On 2011-04-24 19:27, ArkanoiD wrote:
In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market. Now both are either extinct or forced to an ulgy low end (for opensource, it usually means having no security-centric framework, no common API, no real code review -- just a bunch of "functionally fit" free things installed on a linux box with some simple web interface). For proxy firewalls the future is even more questionable. Multiple state-of-the-art technology leaders were merging (quite obviously being unable to stay competitive with cheapo crap) until there was only One left.. SC, later bought by McAfee. And now McAfee is owned by Intel and it seems to show no interest in high end firewall solutions at all, they seem to think they just bought an "antivirus company". I asked guys on LinkedIn (having to admit LinkedIn security community sucks big time, some sane people are still there :-) , if they still have some interest in opensource firewall solutions. The short answer was "NO". The long ones were: -- It is all about performance, we want as many Gbits per $ as possible, so ASIC is only way -- It is all about features and support, no free solution fits. And the second point seems to be pretty valid. We have *NO* product that is a match for current "market leaders". It does not mean it is impossible: it is quite obviously possible, but we still do not have it. You may take OpenFWTK, Prelude, Snort, ClamAV, some unix of you choice and.. still not get really the same. Protocol support is not that good, no common management interface and not really ready for enterprise which is not full of geeks at all, management overhead and TCO are going to jump up beyond any reasonable limit. OpenDLP is just a sad joke, running a bunch of regexps against your data is not the thing to be called DLP. As I am still running the OpenFWTK project, I have to admit I get little to *NO* support form Opensource community. The single reason the project is still alive is occasional donations and paid feature requests from *commercial* vendors who use some OpenFWTK components in their products. Maybe once a year or two I receive a bug report or even a patch or some half-baked piece of documentation. I appreciate that, but most of the times I never hear from those people again. Despite that, Sourceforge shows several downloads/checkouts daily, but the feedback is close to zero. Once I googled for OpenFWTK I found some japanese site with patches they did not bother even to send me, and there was no contact email and no way to send them any questions as comment form was protected with captcha in japanese! _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)