Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: ArkanoiD <ark () eltex net>
Date: Wed, 27 Apr 2011 23:48:22 +0400
On Tue, Apr 26, 2011 at 12:25:37AM -0700, Tracy Reed wrote:
Even "inconsistent code" is rather nebulous. Does it all have to be written by the same person? In the same style? Same language? What? Googling for "openfwtk api" produces references to the fwtk API in websites talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK saying stuff like "OpenFWTK is an application proxy toolkit which inherits the ideology of TIS fwtk and maintains API backwards compatibility." What is the OpenFWTK API?
A set of functions and data structures that provide access to common configuration, authentication, logging and (to some extent) data processing mechanisms. Wasn't it clear enough?
when someone calls a packet filter a firewall. It just seems like pointless snobbery.Shorewall is just packet filter configuration frontend.Indeed it is. And the PCI SSC considers this packet filter a firewall which makes card data more secure. And that's just what I need to make my clients happy.
(shrugs) if that's enough for you, I doubt reading this list provides any value in this context :-)
We do. Say, dealing with webmail *exactly* the same way as "classic" email protocols is a must these days.You propose that a firewall should be able to MITM the https stream of gmail, parse the HTML/Javascript coming from gmail (wouldn't you have to even execute the Javascript and possibly run into the Halting problem etc?) and...do what with it? And if gmail changes their code? And you expect a firewall to do this for every webmail implementation? That does not seem reasonable.
It may sound "reasonable" or not, it is sane requirement. Sane in some customer point of view, like in "I do not care about your technical problems, I just pay the money to someone who stops whining and gets the job done. If there is more than one, ok, I agree to listen to some tech talk about how do you do it better than others".
"Common" means you may build a feature rich system using components you need. It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples."no common management interface" and "common means you may build a feature rich system using components you need"? I'm just not following.
You do not really see a difference between Shorewall and, sorry for the buzzword, "enterprise ready system" which includes firewalls, filtering routers (ah, sorry, those two are the same for you), IDS, endpoint security solutions, DLP components, security information management systems, reporting tools etc etc any "big name" may provide?
Googling for "firewall data normalization" or "DLP data normalization" does not produce anything useful. "data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm but only because OCR stands for the Office for Civil Rights which is apparently the part of the US govt that enforces HIPAA. And that DLP box looks less like a firewall than an appliance which sits on a span/mirror port and sniffs traffic and applies matching and parsing rules. In short, it's hard to tell what any of this really means, whether anyone is really producing software that does much of this stuff, or whether anyone is really asking for it, and whether it isn't all just marketing BS in an industry infamously rife with such BS.
(shrugs) we have a solution here that does it all. Don't think there is a problem you cannot google it out.
So that explains the problem that FWTK and presumably by extension OpenFWTK is trying to solve. DARPA identified the problem in 1993 but nobody else seems to have picked up on it or care much in 2011. PCI DSS is my area of focus and nobody is pushing the filtering of protocol content, just packets.
Damn fscking sure. Compliance is a "totally different thing". (I "do some PCI DSS" as well, but cannot even imagine it as "are of focus", it is damn boring. Well, writing new standards may be fun, but "just following" is not :-).
This is where something like OpenFWTK might might be useful but it seems like Apache mod_security and its commercial variant have this market well serviced. And even then, when a web application spews sensitive information via SQL injection it usually does so without ever violating the HTTP protocol. In 1993 the big threat was buffer overflow exploits where your HTTP server might suddenly serve up a root shell on the tcp connection. That seems to be what DARPA was trying to stop. That problem has been mitigated more or less. Enforcing HTTP protocol (et al) may still be valuable but it does not protect us from the biggest threats of today.
Damn sure, for http-driven attacks protocol-level threats are almost non-issue (except a few SSL ones). It does not mean there is no job for an application proxy, though.
There is where DLP etc. come in, apparently.
Not here, DLP is not designed to do that.
Exactly how am i expected to get the community?What problem are you trying to solve? Is it really a problem anyone needs solved? You sure you aren't solving DARPA's problem of 1993?
Yes.
Shorewall solves the problem I and many others have to solve. Very few people need many of the features which you have mentioned. Those who do need such things probably have tons of money and are in corporate CYA environments where they want someone to blame when things go wrong so they will want commercial support. DLP and the many other fancy features mentioned are covered by the big guys and small shops don't need/care for it. For all these reasons it is hard to identify who might be potential members of your OpenFWTK community.
"Someone to blame" is a good point (not someone to be responsible or to solve the problem :-) Well, I just wonder why there is almost no one who is willing to try the same things "for free". _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Marcus J. Ranum (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)