Re: Proxies, opensource and the general market: what's wrong with us?

[Tracy Reed <treed () ultraviolet org>]

On Tue, Apr 26, 2011 at 05:03:27PM +0400, ArkanoiD spake thusly:
> There are some right things happening, though. I see many firewalls are now
> capable of dealing with http based appliactions quite complex ways.
> Looks like FOSS is lagging behind again (except WAF part) :-(

The demand just isn't there.

> > the GPL side. Because open source is about community, and reaching critical
> > mass is very hard, especially if you come with a nich? product aimed at the
> > enterprise. This is a feat neither FWTK nor Zorp have been able to reach. 
>
> Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years
> ago :-( 

I have only ever known one person who attempted to implement fwtk and actually
proxy protocols. Everyone else just packet filters and calls it a firewall. And
that's all any security standard or regulation I have ever seen requires as
well.

> Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall,
> IPCop, m0n0wall etc have reached that quite easy, but they are not really
> "aimed at the enterprise", they are aimed to be user-friendly at low
> end/soho. 

Depends on what you mean by enterprise. I know lots of companies with millions
in revenue using them.

> Maybe I should start with designing simple kick-start tools for newbies? Will
> it help?

What would these tools be kick-starting?

> > 6. The world is changing. This means that new buzzwords coming up, followed
> > dutifully by the market. Fortunately new buzzwords usually mean the same
> > old things. Those ideas which have been too immature 20 years ago, reemerge
> > later in a different name and shape. You are looking for application level
> > firewall? Look at "xml firewall" and "SOA firewall".  They are out there.
> > Yes, they are specialized into a very tiny subset of the problem space (and
> > the rest is still uncovered), but maybe that is the most important part
> > anyway. 
>
> XML/SOA firewalls were expected to have great future, but they are useless
> unless you have detailed system design documents with data flow described in
> the tiniest details and you are ready to spend about 10% of resources (or
> even more) used to implement the system itself on security related issues.

A lot of this whole business sounds very buzzword compliant. A lot of people
see to weigh the expense of purchasing/configuring/maintaining the fancy
firewalls vs the perceived risk. They end up implementing nothing more than a
packet filter.

> > I am also seeing labeling and information flow control gaining momentum.
> > You should be very familiar with both TNI and the modern enterprise
> > architecture to catch a glimpse of it, but it is there and growing. And our
> > profession is changing, too. 
>
> That's amazing, because from the very beginning it was quite obvious that
> labeling and information flow control is the foundation of information
> security.

That's one of the reasons why I like SE Linux. Labels are nice. Like having a
nice type system in a programming language to make sure things don't go wrong.

> Despite that, people ignored it for years, until they got better ad hoc
> labeling tools with DLP.  Better later than never :-) Again, opensource
> solutions are barely visible here :-(

Again, no demand. Everyone wants a "community" and nobody wants to build
something which hardly anyone will use.

> I guess the first thing we do need is a good companion endpoint security
> solution, capable of data discovery and classification as well..

How would something like this work?

-- 
Tracy Reed

Attachment: _bin
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards