Re: Proxies, opensource and the general market: what's wrong with us?

[Claudio Telmon <claudio () telmon org>]

On 04/24/2011 07:27 PM, ArkanoiD wrote:
> In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.

Hi,
proxy firewalls are almost dead also as closed source products. They
lack the flexibility needed for dealing with new protocols, especially
those based on UDP which are much more common now. IMHO this is exactly
why as fwtk died, not many cared about openfwtk. Currently, for what I
can see, there are almost only reverse proxies, almost nobody puts
proxies in front of the Internet.

WRT performance, I agree with Tracy that most networks don't need the
Gbps speeds in front of the Internet, but many don't feel comfortable
with 100 Mbps when dealing with local traffic, and most
security-conscious companies don't just have firewalls in front of the
Internet. But, there are solutions: ntop's PF_RING
http://www.ntop.org/PF_RING.html is an example of how much can be
achieved when a system is not general purpose.

IMHO the problem is, for many years firewalls have been "trivial" tools
that had little firewalling features, fighting on performance,
integration with e.g. VPN and load balancers etc. Vendors had to invent
the "deep packet inspection" in order to say that they actually *do*
some checks ;) But still, the recent problems with split handshake seem
to show that some/many firewalls don't even enforce proper protocol
syntax (how could they otherwise be confused on the direction of
protocol sessions, no matter how the handshake happened?) and still
nobody cares. It is "normal" that a firewall mostly enforces protocols
up to tcp, and then something else (IPS, WAF, etc) deals with "content".
And I know many companies that don't even enable the "deep packet
inspection" features of their high-end firewall, fearing to create a
bottleneck ;) So, still nobody cares about what the firewall actually
can do ;) I agree with Marcus that APT could increase the attention on
what's happening on the network, but since most companies don't really
understand security, most will happily buy some DLP product, put it
somewhere and forget it, since more effective solutions would need to
have somebody reading and understanding the reports, and that costs
money (OPEX) ;)

An OSS firewall would need to either provide something "new" and
interesting that current products don't have, or provide at least the
same "features" of current products, including integration with load
balancing, vpn, etc. Also, proxies could be used for e.g. some addresses
and some protocols, and keep the option to use packet filtering for
others. I know that this can be done, but not many have the skills
required to assemble all of these components, so all of this should be
provided as a "package", or else the project wouldn't reach the critical
mass for success.

If you look for a community, you could look at OWASP community: while
"testing" is much more funny than protecting ;), you could find some
help there. I don't agree with Marcus that you can't fight with 20
engineers, almost all OSS projects do, and their success or failure is
hardly related to this kind of competition.

Regards,

- Claudio

-- 

Claudio Telmon
claudio () telmon org
http://www.telmon.org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards