Re: Next Generation Security Architecture

["Marcus J. Ranum" <mjr () nfr com>]

Darren Reed wrote:
> I think your problem will be that (a) there is money to be made from
> such ideas and [...]

I was recently meeting with a bunch of venture capitalists and they
asked me "why won't someone just build an all-singing all-dancing
chop-dice-slice-shred-floorwax-dessert topping security system and
own the whole market?" (implying I should)   I don't think it's possible
because in order to "do it right" one would need to build best-of-breed
solutions for each component of:
access control
antivirus
detection
visualization/alerting/analysis/management workflow
policy and management
VPN
email encryption
certificates
etc....

That's a huge order. I don't think it's possible to solve all those problems
simultaneously and well. It's possible to solve them all simultaneously
and badly - by acquiring technology and trying to glue it together with
duct tape, spit, and wet soap.

So, my answer is "ain't going to happen" because the cost of entry
is prohibitively high. In the time during which you're developing your
complete solution, faster-moving competitors will gain market share
with "best of breed" (or well-marketed) point products. Then, once you've
rolled out your whole solution, you'll be tormented by customers who
already have an installed base and want you to ensure compatibility
in order to preserve their "investment" - which means you'll be forced
to break out the duct tape, spit, and wet soap and your architecture
will go to hell in a handcart (or worse, be full of security holes).

In '97 (I think it was) I suggested that we scrap all our applications
and start over, with consistent interface policies and some decent
underlying application protocols. If you want to amuse yourself
with the speech, there's an MP3 of it on:
http://web.ranum.com/usenix/mjr-blackhat-97.mp3
For all that I was trying to be ridiculous I think there's some merit to
some of the concepts, if you're willing to be idealistic. We (as an
industry) spend $600mm++ per year on "firewalls" -- a technology
most advanced security thinkers recognize as inherently limited
in its effective lifespan. For that kind of money, one could make big
strides towards an actual solution. But in order to do it, one would
have to keep the standards weenies and government "assistance"
out of the picture, and just let a top-notch team of technologists
(assuming you could find the right people and fit all their egos into
the same building) solve the problem.

That was 1997. Since then, I've spent even more time with the
venture guys and I've been running a business. I don't have any
naive hopes like that for a solution, anymore.

mjr.
---
Marcus J. Ranum, Chief Technology Officer, NFR Security, Inc.
Work:   http://www.nfr.com
Play: http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards