Firewall Wizards mailing list archives

Re: Proxies, opensource and the general market: what's wrong with us?

From: ArkanoiD <ark () eltex net>
Date: Tue, 26 Apr 2011 04:49:51 +0400

On Mon, Apr 25, 2011 at 02:24:04PM -0700, Tracy Reed wrote:

On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:

Now both are either extinct or forced to an ulgy low end (for
opensource, 

it usually means having no security-centric framework,


What does this mean?

no common API,


How would a firewall API work and what would it do? What does "common"
mean in this context? Same API across multiple different firewall
vendors?


A "framework" means it is not just a bunch of inconsistent code.
API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does.
A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else,
despite the fact it can do "more".

no real code review


Depends on what you mean by "real". I know tons of people look at the
Linux firewall code.


You mean packet filter code? :-)

-- just a bunch of "functionally fit" free things installed on a linux
box with some simple web interface).


I don't know what "functionally fit" means either.


See above.

As for web interfaces, most of the Linux firewalls I've used (especially
Shorewall, my favorite) have no web interface. I really don't want
someone managing my firewall who requires a web interface. I also like
to version control my firewall configs and back them up within my normal
backup infrastructure which most web interfaces cannot handle.


Shorewall is just packet filter configuration frontend.

-- It is all about features and support, no free solution fits.


I can understand a company wanting support for their firewall. Support
costs someone's time and that quite fairly costs money. 

As for features, what features are the real sticking points here? Are we
just comparing bullet lists or do you really *need* certain features
which are lacking?


We do. Say, dealing with webmail *exactly* the same way as "classic" email protocols is a must these
days.

Protocol support is not that good, no common management interface and


What protocols are we talking about here and what are we wanting to do
with them?

What is an example of a commercial product that has a common management
interface? What other product is it in common with?


"Common" means you may build a feature rich system using components you need.
It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.

not really ready for enterprise which is not full of geeks at all,


I would think you would want to hire a geek to operate your firewall and
other security infrastructure if security was important to you.

management overhead and TCO are going to jump up beyond any reasonable
limit.


Why?

OpenDLP is just a sad joke, running a bunch of regexps against your
data is not the thing to be called DLP.


How do the commercial products do it?


Lots of pretty complicated ways, including endpoint data discovery, digital fingerprinting, data normalization, 
on-the-fly ocr and stuff.

As I am still running the OpenFWTK project, I have to admit I get
little to *NO* support form Opensource community.


I very rarely hear about openfwtk and I'm in the business. I know of
very few companies who have deployed or want to run proxies. Most just
stick with stateful packet filtering and maybe a squid/varnish proxy for
http and call it a day. In order to have community support you have to
have a community. There are 30 people in #shorewall on freenode.net and
for nearly 10 years now there has always been someone to help out
whenever I had an issue. The mailing list is quite active also. Tom
Eastep does a fantastic job of running the project working with the
community. openfwtk-devel at
http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
emails in the archive over years. And no IRC channel. It is barely
visible at all on the net. You don't get community support if you have
no community.


Exactly how am i expected to get the community?

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
  - Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
  - Re: Proxies, opensource and the general market: what's wrong with us? Marcus J. Ranum (Apr 25)
    - Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 25)
  - Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
    - Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
    - Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
    - Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
    - Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
    - Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
    - Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
    - Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
    - Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
    - Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
    - Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)

(Thread continues...)