Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

["Marcus J. Ranum" <mjr () ranum com>]

ArkanoiD wrote:
> > My guess is that that VCs would split a rib laughing if someone came
> > to them with a business plan for a new firewall company. :) 
>
> Damn sure. And maybe that's why we have nothing like "Gauntlet on steroids"
> (flexible, expandable and supported with development team who is willing
> to help to integrate it with any customer application) these days, though 
> there definitely *is* some niche market demand for it.

It's not a matter of funding - it's more a matter that there's no economic
niche in which someone could offer such a thing and survive to continue
doing so. Because 95% of their target customer base would ignore
what they offered and follow the herd and buy whatever the big
conglomerates are pushing ( CA / Symantec / Checkpoint / Cisco, etc).
The remaining 5% of the potential customer base would represent
the clueful consumers, among whom probably 1/2 (or 3%) are
cost-constrained - have you ever noticed how being cost constrained
makes IT specialists use their brains harder? - and they'd go with
some kind of "free" open source solution. That'd leave a target customer
base of maybe 2% of the overall market. Which, in the words of
Peter Kuper "that's not a market, that's a hobby."

Kuper gave a talk I attended a year ago, or so, which was really
sobering and very thought-provoking. In it, he pointed out that if you
took the total US spend on computer security, and subtracted
out of it the security revenues of the top 5 players, you've only
got something like 4% of the target revenues remaining. So there
are 800+ security-related companies fighting over that 5% and
even if you assume the revenues get distributed evenly that's
something like $20 million / year apiece. When you add to the
mix the fact that most of the 800+ security companies on the
market are VC funded in some way, and are not profitable, it
means there's going to be a great big die-off coming in the
not-too-distant future. Throw the open source "X factor" into the
mix and it gets even more explosive - if you're a small start-up
producing a decent widget and some open source project
comes along producing a 95% decent widget you're likely to see
your economic niche shrink to a thread overnight.

> We are lucky XML firewalls became reality, thanks to people who made those.

I'm on the fence about that one. Having XML firewalls is kind of
luck having a nice band-aid to put over your sucking chest wound.
Well, it's great, but you'd rather not have had the sucking chest
wound in the first place.

> There is *NO* firewall with reasonable IMAP proxy implementation! No one at
> all!

There is *NO* market for one. None at all!!
Customers will prefer, any day of the week, to buy a high-speed
"deep psychic turbo packet multi layer do-diddly packet blender"
firewall that's basically an in-silicon switch that knows how to
update a state table entry and does regexps to look for well-known
attacks against IMAP. And the sophisticated customers at the
low end of the market will just grit their teeth and build their own
out of courier + postfix or whatever and have something that's
free, a bit unwieldy, but basically OK.

> And when i try to tell someone i am firewall developer, they usually think
> it is another stupid linux-based packet filter hacked together with bunch 
> of freeware tools hiding its incredible uglyness behind the web interface. 
> Even before i tell a word. Just because everyone does that and main competition
> is to make it cheaper.

...and faster. Don't forget faster!
If you can't be good   ...be really fast.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards