Firewall Wizards mailing list archives
Re: [fwd] Firewall Products: Many Not Ready For Prime Time,
From: Christopher Nicholls <chrisn () softway com au>
Date: Thu, 02 Apr 1998 11:17:57 +1000
At 15:39 1/04/98 -0800, David Bonn wrote:
"Chris" == Christopher Nicholls <chrisn () softway com au> writes: "Jody" wrote:Jody> I refer to this as the Mojo Bag Theory of Firewall Purchase. The Jody> idea is that you buy one and just having it keeps away the evil eye.
:-)
Jody> (Burning incense in front of the firewall may or may not be a "best Jody> practice", depending on the particular shaman, er, consultant, that you Jody> call in to do the eval.) Chris> I couldn't agree more. Further, I think one of the most alarming Chris> trends developing is the movement towards "shrink-wrap firewalls" - Chris> buy now pay later! If ever there was an item not to be bought Chris> off-the-shelf, it's security. Maybe one day we will be able to use Chris> self configuring f/w "..yessiree, just plug in your security policy Chris> here Mr Customer... you don't have one? Never mind - use our default Chris> virtual policy!". Sounds a bit like the beginnings of a very Chris> interesting 1 April prank... I'm speaking from some obvious corporate biases here, since my employer is probably one of the companies you are speaking of.
It was more the *perception* of the product as a "shrink-wrap" rather than the product itself that I was aiming at. That is "I buy one of these, connect it to my network and voila! Instant security". We are not there yet.
What you're really paying for when you hire a security consultant is *expertise*. Now, good judgement comes from experience (and experience comes from bad judgement, but that's another story ;). Now, do security consultants build each and every security policy and configuration from scratch? Probably not if they want to make money. What they will usually do is grab some solution from a similar situation they saw in the past and modify it for the local configuration. This is a good thing. The customers are paying for someone with experience and expertise, and wasting the customers money and the consultant's time reinventing the wheel is silly at best and borderline unethical at worst. Given that, what's wrong with encapsulating experience and expertise into software? Or to ask the question another way, what aspects of security systems are resistant to encapsulation into software?
How much can be replicated and how much must be customised ? - That is the question. The priorities of organisations are *not* all the same - nor are their networks. Consider a Bank's security requirments versus an auto retailer (for eg.)? You would have to have a multitude of different grades and types of security policy implementations... Poor MIS manager... store manager, fall guy. Which one to implement? The generic security policy is an interesting concept, potentially fraught with problems. I still think that you need to do more than this.
If you compare firewall unit sales with internet growth, it looks probable that only about ten percent of the potential customer base are purchasing firewalls of any kind. Can anyone argue with a straight face that that ninety percent is better off with no security software at all?
Absolutely not - the problem exists when enterprises start making decisions based upon lack of experience, marketspeak and ill-informed decisions.... If we reduce security to that level, we end up with organisations who *think* they are secure... but aren't. This is happening a lot. They have to take it more seriously and that means the security community needs not only to make everyone more "paranoid" but more informed, and better prepared.
Chris> But how do you convince the MIS Manager that 1) this is ot a good Chris> approach, 2) you (the consultant) are not just holding the high Chris> intelectual ground to prevent them from such implementations and 3) IT Chris> security is not talismans and incense? Most customers I've seen have no equivalent of an MIS manager. Many of them don't even have an on-site network administrator. I'm not saying that they don't *need* such people, but the reality is that a lot of organizations who are connecting to the internet There are a lot of clueless people deploying large internets these days. You probably don't have to look much further than your local government to find horrifying examples. How do we help these people? Remember that most of them can't (or won't) drop a thousand bucks a day to have some high-hat security guy come in and tell them how to run their network.
One way is by educating - the involvement of It security industry associations here is very important. Together the IT security community can bring forward the level of understanding and make the decision-making process far better for the enterprises to which you refer.
Chris> A firewall is not a means unto itself - it is only the proverbial tip Chris> of the (security) iceberg. Certainly true. Consider that if a firewall is easier to configure and manage, there might be more time and more resources available for the rest of the iceberg.
Absolutely. But you *cannot* state that because a firewall is easy to configure, and has a brilliant user-interface that the security will be better. That is a big misconception. The software is only capable of doing what it is configured to do. Tell it to let anyone in and it will allow it. So much for ease-of-use then. I do not believe we have produced the AI-Firewall yet... Regards Christopher ----------------------------------------------------------------------------- Christopher Nicholls chrisn () dynamite com au ~~~~~~~ chrisn () softway com au ----------------------------------------------------------------------------- m: 0411 454755 w: +61 2 6243 4834 h: +61 2 6241 2112 wf: +61 2 6243 4848 hf: +61 2 6241 8926 ---------------------------------------------------------------------------- -
Current thread:
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Study Says C Matthew Curtin (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Study Says Adam Shostack (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Study Says Marcus J. Ranum (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Jody Patilla (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Christopher Nicholls (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Adam Shostack (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Christopher Nicholls (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, David Bonn (Apr 02)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Christopher Nicholls (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Christopher Nicholls (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Study Says Adam Shostack (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Rick Smith (Apr 01)
- Re: [fwd] Firewall Products: Many Not Ready For Prime Time, Study Says -= ArkanoiD =- (Apr 02)