Firewall Wizards mailing list archives
Re: Next Generation Security Architecture
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Fri, 16 Feb 2001 12:22:42 -0500
Darren Reed wrote:
I think your problem will be that (a) there is money to be made from such ideas and [...]
I was recently meeting with a bunch of venture capitalists and they asked me "why won't someone just build an all-singing all-dancing chop-dice-slice-shred-floorwax-dessert topping security system and own the whole market?" (implying I should) I don't think it's possible because in order to "do it right" one would need to build best-of-breed solutions for each component of: access control antivirus detection visualization/alerting/analysis/management workflow policy and management VPN email encryption certificates etc.... That's a huge order. I don't think it's possible to solve all those problems simultaneously and well. It's possible to solve them all simultaneously and badly - by acquiring technology and trying to glue it together with duct tape, spit, and wet soap. So, my answer is "ain't going to happen" because the cost of entry is prohibitively high. In the time during which you're developing your complete solution, faster-moving competitors will gain market share with "best of breed" (or well-marketed) point products. Then, once you've rolled out your whole solution, you'll be tormented by customers who already have an installed base and want you to ensure compatibility in order to preserve their "investment" - which means you'll be forced to break out the duct tape, spit, and wet soap and your architecture will go to hell in a handcart (or worse, be full of security holes). In '97 (I think it was) I suggested that we scrap all our applications and start over, with consistent interface policies and some decent underlying application protocols. If you want to amuse yourself with the speech, there's an MP3 of it on: http://web.ranum.com/usenix/mjr-blackhat-97.mp3 For all that I was trying to be ridiculous I think there's some merit to some of the concepts, if you're willing to be idealistic. We (as an industry) spend $600mm++ per year on "firewalls" -- a technology most advanced security thinkers recognize as inherently limited in its effective lifespan. For that kind of money, one could make big strides towards an actual solution. But in order to do it, one would have to keep the standards weenies and government "assistance" out of the picture, and just let a top-notch team of technologists (assuming you could find the right people and fit all their egos into the same building) solve the problem. That was 1997. Since then, I've spent even more time with the venture guys and I've been running a business. I don't have any naive hopes like that for a solution, anymore. mjr. --- Marcus J. Ranum, Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Play: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Next Generation Security Architecture Nigel Willson (Feb 15)
- Re: Next Generation Security Architecture Darren Reed (Feb 16)
- Re: Next Generation Security Architecture Marcus J. Ranum (Feb 16)
- Re: Next Generation Security Architecture Lance Spitzner (Feb 16)
- Re: Next Generation Security Architecture bacano (Feb 20)
- Re: Next Generation Security Architecture Marcus J. Ranum (Feb 16)
- Re: Next Generation Security Architecture Darren Reed (Feb 16)
- <Possible follow-ups>
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture David Lang (Feb 20)