Re: [fwd] Firewall Products: Many Not Ready For Prime Time,

[Christopher Nicholls <chrisn () softway com au>]

At 15:39 1/04/98 -0800, David Bonn wrote:
> > > > > > "Chris" == Christopher Nicholls <chrisn () softway com au> writes:
> > > > > > "Jody" wrote:
>
> Jody> I refer to this as the Mojo Bag Theory of Firewall Purchase. The
> Jody> idea is that you buy one and just having it keeps away the evil eye.
:-)
> Jody> (Burning incense in front of the firewall may or may not be a "best
> Jody> practice", depending on the particular shaman, er, consultant, that you
> Jody> call in to do the eval.)
>
> Chris> I couldn't agree more. Further, I think one of the most alarming
> Chris> trends developing is the movement towards "shrink-wrap firewalls" -
> Chris> buy now pay later! If ever there was an item not to be bought
> Chris> off-the-shelf, it's security. Maybe one day we will be able to use
> Chris> self configuring f/w "..yessiree, just plug in your security policy
> Chris> here Mr Customer... you don't have one? Never mind - use our default
> Chris> virtual policy!". Sounds a bit like the beginnings of a very
> Chris> interesting 1 April prank...
>
> I'm speaking from some obvious corporate biases here, since my
> employer is probably one of the companies you are speaking of.

It was more the *perception* of the product as a "shrink-wrap" rather than
the product itself that I was aiming at. That is "I buy one of these,
connect it to my network and voila! Instant security". We are not there yet.
> What you're really paying for when you hire a security consultant is
> *expertise*.  Now, good judgement comes from experience (and
> experience comes from bad judgement, but that's another story ;).
> Now, do security consultants build each and every security policy and
> configuration from scratch?  Probably not if they want to make money.
> What they will usually do is grab some solution from a similar
> situation they saw in the past and modify it for the local
> configuration.
>
> This is a good thing.  The customers are paying for someone with
> experience and expertise, and wasting the customers money and the
> consultant's time reinventing the wheel is silly at best and
> borderline unethical at worst.
>
> Given that, what's wrong with encapsulating experience and expertise
> into software?  Or to ask the question another way, what aspects of
> security systems are resistant to encapsulation into software?

How much can be replicated and how much must be customised ? - That is the
question. The priorities of organisations are *not* all the same - nor are
their networks. Consider a Bank's security requirments versus an auto
retailer (for eg.)? You would have to have a multitude of different grades
and types of security policy implementations... Poor MIS manager... store
manager, fall guy. Which one to implement?

The generic security policy is an interesting concept, potentially fraught
with problems. I still think that you need to do more than this.

> If you compare firewall unit sales with internet growth, it looks
> probable that only about ten percent of the potential customer base
> are purchasing firewalls of any kind.  Can anyone argue with a
> straight face that that ninety percent is better off with no security
> software at all?

Absolutely not - the problem exists when enterprises start making decisions
based upon lack of experience, marketspeak and ill-informed decisions....
If we reduce security to that level, we end up with organisations who
*think* they are secure... but aren't. This is happening a lot. They have
to take it more seriously and that means the security community needs not
only to make everyone more "paranoid" but more informed, and better prepared.

> Chris> But how do you convince the MIS Manager that 1) this is ot a good
> Chris> approach, 2) you (the consultant) are not just holding the high
> Chris> intelectual ground to prevent them from such implementations and 3) IT
> Chris> security is not talismans and incense?
>
> Most customers I've seen have no equivalent of an MIS manager.  Many
> of them don't even have an on-site network administrator.  I'm not
> saying that they don't *need* such people, but the reality is that a
> lot of organizations who are connecting to the internet
>
> There are a lot of clueless people deploying large internets these
> days.  You probably don't have to look much further than your local
> government to find horrifying examples.
>
> How do we help these people?  Remember that most of them can't (or
> won't) drop a thousand bucks a day to have some high-hat security guy
> come in and tell them how to run their network.

One way is by educating - the involvement of It security industry
associations here is very important. Together the IT security community can
bring forward the level of understanding and make the decision-making
process far better for the enterprises to which you refer.
> Chris> A firewall is not a means unto itself - it is only the proverbial tip
> Chris> of the (security) iceberg.
>
> Certainly true.
>
> Consider that if a firewall is easier to configure and manage, there
> might be more time and more resources available for the rest of the
> iceberg.

Absolutely. But you *cannot* state that because a firewall is easy to
configure, and has a brilliant user-interface that the security will be
better. That is a big misconception. The software is only capable of doing
what it is configured to do. Tell it to let anyone in and it will allow it.
So much for ease-of-use then. 

I do not believe we have produced the AI-Firewall yet...

Regards

Christopher
-----------------------------------------------------------------------------
Christopher Nicholls
chrisn () dynamite com au   ~~~~~~~   chrisn () softway com au
-----------------------------------------------------------------------------
m:      0411 454755     
w:      +61 2 6243 4834 h:      +61 2 6241 2112
wf:     +61 2 6243 4848 hf:     +61 2 6241 8926
----------------------------------------------------------------------------
-