Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Tracy Reed <treed () ultraviolet org>
Date: Wed, 27 Apr 2011 15:38:49 -0700
On Tue, Apr 26, 2011 at 05:03:27PM +0400, ArkanoiD spake thusly:
There are some right things happening, though. I see many firewalls are now capable of dealing with http based appliactions quite complex ways. Looks like FOSS is lagging behind again (except WAF part) :-(
The demand just isn't there.
the GPL side. Because open source is about community, and reaching critical mass is very hard, especially if you come with a nich? product aimed at the enterprise. This is a feat neither FWTK nor Zorp have been able to reach.Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years ago :-(
I have only ever known one person who attempted to implement fwtk and actually proxy protocols. Everyone else just packet filters and calls it a firewall. And that's all any security standard or regulation I have ever seen requires as well.
Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall, IPCop, m0n0wall etc have reached that quite easy, but they are not really "aimed at the enterprise", they are aimed to be user-friendly at low end/soho.
Depends on what you mean by enterprise. I know lots of companies with millions in revenue using them.
Maybe I should start with designing simple kick-start tools for newbies? Will it help?
What would these tools be kick-starting?
6. The world is changing. This means that new buzzwords coming up, followed dutifully by the market. Fortunately new buzzwords usually mean the same old things. Those ideas which have been too immature 20 years ago, reemerge later in a different name and shape. You are looking for application level firewall? Look at "xml firewall" and "SOA firewall". They are out there. Yes, they are specialized into a very tiny subset of the problem space (and the rest is still uncovered), but maybe that is the most important part anyway.XML/SOA firewalls were expected to have great future, but they are useless unless you have detailed system design documents with data flow described in the tiniest details and you are ready to spend about 10% of resources (or even more) used to implement the system itself on security related issues.
A lot of this whole business sounds very buzzword compliant. A lot of people see to weigh the expense of purchasing/configuring/maintaining the fancy firewalls vs the perceived risk. They end up implementing nothing more than a packet filter.
I am also seeing labeling and information flow control gaining momentum. You should be very familiar with both TNI and the modern enterprise architecture to catch a glimpse of it, but it is there and growing. And our profession is changing, too.That's amazing, because from the very beginning it was quite obvious that labeling and information flow control is the foundation of information security.
That's one of the reasons why I like SE Linux. Labels are nice. Like having a nice type system in a programming language to make sure things don't go wrong.
Despite that, people ignored it for years, until they got better ad hoc labeling tools with DLP. Better later than never :-) Again, opensource solutions are barely visible here :-(
Again, no demand. Everyone wants a "community" and nobody wants to build something which hardly anyone will use.
I guess the first thing we do need is a good companion endpoint security solution, capable of data discovery and classification as well..
How would something like this work? -- Tracy Reed
Attachment:
_bin
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)