Firewall Wizards mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 26 May 2006 12:49:05 -0700
In infosec today we are coining terms and creating methods on a daily basis - this is not a mature area of endeavor. When it is a mature space, we will have much more "integrated" "weapons platforms", whether single-vendor or standards-based.
argh. i resisted as long as i could... back in the distant past when i was teaching eager young network admins about VPN technology (say, 1997), i would frequently predict that within a couple of years, there wouldn't *be* any third party VPN systems. things like opportunistic encryption and IPv6 (which incorporated the kinds of things you were "doing" with the VPN anyhow) would be widely deployed within operating systems' network stacks. you might have one or two serious niche vendors for things like military and hard-core financial, but for most folks "what the computer did" would be good enough. now, of course, i point to the timeframe of that prediction as an obvious sign of my being *way* too optimistic about the market. but i think the *idea* is still valid, if taking way longer than it would in a more rational world. think about user authentication. once upon a time, we didn't *do* user authentication, cos there just weren't very many people on the machines. then it became necessary -- and users *bitched* about the great torture of having to type their poorly-chosen passwords -- and now hardly anyone thinks about its necessity. yeah, there are a couple of companies trying to make high end, uber-auth-on-steroids versions -- and yeah, there are lots of problems in the current design, like dependence on re-usable passwords and lack of ability to do really fine grained authorization based on userID or org role. and oh joy, single sign-on. but in fact the incorporation and acceptance of user authentication on a system-by-system basis is something no one really argues about any more. MS, heaven help us all, has taken the idea of user authentication and authorization a step further by building the *only* possible enterprise wide IPsec management infrastructure in the world, by allowing orgs to tie user rights and machine communications policies into a crypto infrastructure. they've been using that capability since before blaster, to give admins a better way to do firewalling than using the silly firewall that comes with XP. this is a huge big deal, and they've done it very quietly. i don't understand *why* they're so quiet about it, actually, especially with all the current ruckus about "NAC." fact is, although the unix-loving-MS-bashing crowd in which i occasionally run (*grins*) would never trust it, the combination of active directory based policies and IPsec based network enforcement has *already* put the entire community of third-party NAC vendors out of business. your enterprise windows admins have invested years of time and energy into building the right set of policies for their organization, and they're not going to take kindly to a third party telling them they have to replicate all that policy info in a separate location. again, there may be an exception for the few orgs that want something really posh, or haven't figured out how to do the same management tricks for OS X and unix with ipsec. but if you step back from the marketing fireworks and the OS religious battles, and think about what you actually want to DO with a particular security technology...surely there's a utopia out there somewhere in which all those functions are incorporated into the OS itself, in EXACTLY THE SAME WAY that operating systems now have user authentication (for better or for worse) and a TCP/IP stack incorporated. long term survival will go to the folks who learn how to integrate what they're doing into what "most folks" already do. and of course, to us poor slobs who have a knack for making them all play nice together... hmm. good thing i polished up my rather battered crystal ball :-) in time for the long weekend. cheers - tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG), (continued)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sushil menon (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ArkanoiD (May 30)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Oliver Humpage (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Tina Bird (May 26)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Devdas Bhagat (May 27)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Marcus J. Ranum (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Paul D. Robertson (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 28)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Mark (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Chris Blask (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) Jim Seymour (May 29)
- Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) George Capehart (May 30)