Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 26 May 2006 09:42:32 -0400
ArkanoiD wrote:
My guess is that that VCs would split a rib laughing if someone came to them with a business plan for a new firewall company. :)Damn sure. And maybe that's why we have nothing like "Gauntlet on steroids" (flexible, expandable and supported with development team who is willing to help to integrate it with any customer application) these days, though there definitely *is* some niche market demand for it.
It's not a matter of funding - it's more a matter that there's no economic niche in which someone could offer such a thing and survive to continue doing so. Because 95% of their target customer base would ignore what they offered and follow the herd and buy whatever the big conglomerates are pushing ( CA / Symantec / Checkpoint / Cisco, etc). The remaining 5% of the potential customer base would represent the clueful consumers, among whom probably 1/2 (or 3%) are cost-constrained - have you ever noticed how being cost constrained makes IT specialists use their brains harder? - and they'd go with some kind of "free" open source solution. That'd leave a target customer base of maybe 2% of the overall market. Which, in the words of Peter Kuper "that's not a market, that's a hobby." Kuper gave a talk I attended a year ago, or so, which was really sobering and very thought-provoking. In it, he pointed out that if you took the total US spend on computer security, and subtracted out of it the security revenues of the top 5 players, you've only got something like 4% of the target revenues remaining. So there are 800+ security-related companies fighting over that 5% and even if you assume the revenues get distributed evenly that's something like $20 million / year apiece. When you add to the mix the fact that most of the 800+ security companies on the market are VC funded in some way, and are not profitable, it means there's going to be a great big die-off coming in the not-too-distant future. Throw the open source "X factor" into the mix and it gets even more explosive - if you're a small start-up producing a decent widget and some open source project comes along producing a 95% decent widget you're likely to see your economic niche shrink to a thread overnight.
We are lucky XML firewalls became reality, thanks to people who made those.
I'm on the fence about that one. Having XML firewalls is kind of luck having a nice band-aid to put over your sucking chest wound. Well, it's great, but you'd rather not have had the sucking chest wound in the first place.
There is *NO* firewall with reasonable IMAP proxy implementation! No one at all!
There is *NO* market for one. None at all!! Customers will prefer, any day of the week, to buy a high-speed "deep psychic turbo packet multi layer do-diddly packet blender" firewall that's basically an in-silicon switch that knows how to update a state table entry and does regexps to look for well-known attacks against IMAP. And the sophisticated customers at the low end of the market will just grit their teeth and build their own out of courier + postfix or whatever and have something that's free, a bit unwieldy, but basically OK.
And when i try to tell someone i am firewall developer, they usually think it is another stupid linux-based packet filter hacked together with bunch of freeware tools hiding its incredible uglyness behind the web interface. Even before i tell a word. Just because everyone does that and main competition is to make it cheaper.
...and faster. Don't forget faster! If you can't be good ...be really fast. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- cisco ssh rate limit hermit921 (May 26)
- Re: cisco ssh rate limit David Swafford (May 26)
- Re: cisco ssh rate limit hermit921 (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Balazs Scheidler (May 28)