Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Claudio Telmon <claudio () telmon org>
Date: Tue, 26 Apr 2011 10:51:35 +0200
On 04/24/2011 07:27 PM, ArkanoiD wrote:
In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.
Hi, proxy firewalls are almost dead also as closed source products. They lack the flexibility needed for dealing with new protocols, especially those based on UDP which are much more common now. IMHO this is exactly why as fwtk died, not many cared about openfwtk. Currently, for what I can see, there are almost only reverse proxies, almost nobody puts proxies in front of the Internet. WRT performance, I agree with Tracy that most networks don't need the Gbps speeds in front of the Internet, but many don't feel comfortable with 100 Mbps when dealing with local traffic, and most security-conscious companies don't just have firewalls in front of the Internet. But, there are solutions: ntop's PF_RING http://www.ntop.org/PF_RING.html is an example of how much can be achieved when a system is not general purpose. IMHO the problem is, for many years firewalls have been "trivial" tools that had little firewalling features, fighting on performance, integration with e.g. VPN and load balancers etc. Vendors had to invent the "deep packet inspection" in order to say that they actually *do* some checks ;) But still, the recent problems with split handshake seem to show that some/many firewalls don't even enforce proper protocol syntax (how could they otherwise be confused on the direction of protocol sessions, no matter how the handshake happened?) and still nobody cares. It is "normal" that a firewall mostly enforces protocols up to tcp, and then something else (IPS, WAF, etc) deals with "content". And I know many companies that don't even enable the "deep packet inspection" features of their high-end firewall, fearing to create a bottleneck ;) So, still nobody cares about what the firewall actually can do ;) I agree with Marcus that APT could increase the attention on what's happening on the network, but since most companies don't really understand security, most will happily buy some DLP product, put it somewhere and forget it, since more effective solutions would need to have somebody reading and understanding the reports, and that costs money (OPEX) ;) An OSS firewall would need to either provide something "new" and interesting that current products don't have, or provide at least the same "features" of current products, including integration with load balancing, vpn, etc. Also, proxies could be used for e.g. some addresses and some protocols, and keep the option to use packet filtering for others. I know that this can be done, but not many have the skills required to assemble all of these components, so all of this should be provided as a "package", or else the project wouldn't reach the critical mass for success. If you look for a community, you could look at OWASP community: while "testing" is much more funny than protecting ;), you could find some help there. I don't agree with Marcus that you can't fight with 20 engineers, almost all OSS projects do, and their success or failure is hardly related to this kind of competition. Regards, - Claudio -- Claudio Telmon claudio () telmon org http://www.telmon.org _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)