Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

[Chris Blask <chris () blask org>]

At 08:24 PM 25/05/2006, Marcus J. Ranum wrote:

Hey M. JR!

> I think it's going to happen no matter what anyone wants. Because
> the security market is consolidating into 2 types of companies:
> - single solution VC-backed start-ups chasing the hot topic du jour
> - huge mega corporations that don't actually develop anything and
>        simply buy and integrate technologies to a greater or lesser
>        degree

...and that's not all bad.  

o  The best gadget in the world is no good if the maker doesn't survive to support it.  
o  Another analog to twist would be: a bunch of talented and enthusiastic guerillas may be good at the start of a 
conflict, but when it gets really serious you'll be unhappy if you are not the one with the integrated weapons 
platform...

> Basically, 'best of breed' only survives in a market that has not
> stabilized yet, and security has stabilized to the point where, basically,
> it's just marketing weasels coming up with cool new names for proxies,
> packet filtering, and signature matching.

Inasmuch as proxies, packet filters and signature matching have been done already, there isn't anything left but for 
Sears and Walmart to argue about whether theirs is 8% greener or cheaper.  I mean, if an engineer at Volvo comes up 
with a really neat material for a crank bearing it isn't going to change the world by itself.

> I agree with you that best of breed and defense in depth make a great
> deal of sense but the commercial security market will likely not support a
> vibrant vendor-base much longer. 

An interesting proof of open source philosophy would be Enterprise-viable open source solutions large and small that 
would compete with commercial offerings.  With a stabilized market, there shouldn't be any reason that the open source 
community couldn't amass a large enough variety of tools and mature integrated/ing packages to drive competitive 
evolution in commercial products.  To date this whole infrastructure is only half baked so open source isn't any more 
complete, consumable and reliable than some single-vendor or psuedo-BoB alternative, but given time to stretch its legs 
I'd be disappointed if it didn't show well.

Open source is always amazing at coming up with new things.  Let's see if it can come up with scalable security.

> Indeed, my guess is that security,
> as a market separate from network infrastructure/management and
> system administration is not likely to last another 10 years. If you
> look at the current trends, it may even happen that the security market
> will be mostly gone in 5. Once the big players have absorbed enough
> basic security features they'll be able to suck the oxygen away from the
> remaining small players by offering those features as freebie option-ons
> and it's "game over, man."

Ten years from now we should have at least a solid handle on the complete model of what a secure global internet thing 
looks like.  If there are still waves of security-topic-of-the-day startups being funded 10 or 15 years from now then 
hosts will have to actually suck more than this unprotectable windows piece of cr@p I'm typing on now, and we've all 
screwed up in letting it drag on so long.

Maybe the current crop of startups is among the last and will mature out in five years or so, but I think things are 
still more screwed up than that.  Specialized security startups could pop up forever, but there has to eventually be an 
"end" of sorts to inventing basic nuts and bolts.

> By the way, NONE of this will result in the end users having usable
> and effective security. Remember, the security market does not exist
> to provide security; it exists for itself. When it's a dried-out husk the
> game will move someplace else and you'll STILL have insecure
> systems.

:~)

Maybe it's the longer cycle that contains the Secure Solution.  Let the rabid growth and invention phase move past and 
allow to cool on a window-ledge for a few decades...?

-woof!

-chris


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards