Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: ArkanoiD <ark () eltex net>
Date: Tue, 26 Apr 2011 17:03:27 +0400
On Tue, Apr 26, 2011 at 10:03:04AM +0200, Magos?nyi ?rp?d wrote:
3. Actually using real firewalls meaningfully needs a level of maturity which very few enterprises possess. a) As we all know, the firewall operator is the one who should chase down programming bugs at the end of the day simply because s/he is in the position to see all parts of the puzzle. It is a big burden, and easier just to allow anything through than make a real solution. And the one who should solve the problem is not the firewall operator. You need a very strong exception management procedure to handle only that aspect (ITIL as used today is just not enough for this). And we were talking about only simple breaches of the protocol. It happens everywhere, the http proxy to the outer world is being a prominent example of how impossible this mission could get.
There are some right things happening, though. I see many firewalls are now capable of dealing with http based appliactions quite complex ways. Looks like FOSS is lagging behind again (except WAF part) :-( [...]
b) Now let's talk about the cases when you need more than check for protocol compliance. The first question is: how will you identify the security function you have to implement in the firewall? The answer is easy: from the design documentation of the system protected. So you first need meaningful design documentation (mission impossible one), a security assessment of that on a meaningful level (mission impossible two), and a good procedure to turn the security problems of the protected system to requirements against the environment. This needs a strong enterprise architecture (mission impossible #3 because of COTS products), and very high procedural maturity.
Sure, thats where opensource tools could shine, but things are quite different in so-called "real world" :-( [...]
the GPL side. Because open source is about community, and reaching critical mass is very hard, especially if you come with a nich? product aimed at the enterprise. This is a feat neither FWTK nor Zorp have been able to reach.
Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years ago :-( Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall, IPCop, m0n0wall etc have reached that quite easy, but they are not really "aimed at the enterprise", they are aimed to be user-friendly at low end/soho. I was referring to it as "cheapo crap", well, it sounds too rude, but it was just intended to describe this positioning. Maybe I should start with designing simple kick-start tools for newbies? Will it help? [...]
have learned to live with it long ago. And they cannot afford to have a solution which needs much thinking: you can build a small company on a handful of brilliant people, but enterprises are run by Average Joes. So offering a product with features to the enterprise is a bad move. You should give them a solution to some problem that hurts, and it should be dead simple. We have lost at this point forever:)
I think you are right. I did force myself to read the whole CMM document and the only conclusion I got from it was "It is pretty complicated way to get things done (even with terrible overhead, but still done) if every person involved is either a moron, a dumbass, saboteur, just clueless or all of the above".
6. The world is changing. This means that new buzzwords coming up, followed dutifully by the market. Fortunately new buzzwords usually mean the same old things. Those ideas which have been too immature 20 years ago, reemerge later in a different name and shape. You are looking for application level firewall? Look at "xml firewall" and "SOA firewall". They are out there. Yes, they are specialized into a very tiny subset of the problem space (and the rest is still uncovered), but maybe that is the most important part anyway.
XML/SOA firewalls were expected to have great future, but they are useless unless you have detailed system design documents with data flow described in the tiniest details and you are ready to spend about 10% of resources (or even more) used to implement the system itself on security related issues. In real world it means "almost never". Some enterprises buy it anyways, because "XML firewall" sounds cool.
I am also seeing labeling and information flow control gaining momentum. You should be very familiar with both TNI and the modern enterprise architecture to catch a glimpse of it, but it is there and growing. And our profession is changing, too.
That's amazing, because from the very beginning it was quite obvious that labeling and information flow control is the foundation of information security. Despite that, people ignored it for years, until they got better ad hoc labeling tools with DLP. Better later than never :-) Again, opensource solutions are barely visible here :-(
In the good old days when fwtk have born, we were some kind of unix people. Then we became network people. Now I would say that firewalls are about architecture. And they never be the same again.
It was always about architecture :-)
As a summary, open source application level firewalls have two serious problems. One is that open source aimed at the enterprise is not a good bet right now. I think it will change (there is progress), but we need years for that. The other that application level firewalls as you and me think about them are practically dead right now. No problem, it is still - and ever be - a nich? on which we can feed some tens of programmers, but if you want to get out from that dead-end, you have to have a good bet on where the industry will go, and play it. (I have my bet, BTW.)
I guess the first thing we do need is a good companion endpoint security solution, capable of data discovery and classification as well.. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)