Re: Proxies, opensource and the general market: what's wrong with us?

[Timothy Shea <tim () tshea net>]

On Mon, Apr 25, 2011 at 4:24 PM, Tracy Reed <treed () ultraviolet org> wrote:

> On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
>
> I don't know what "functionally fit" means either.
>
> As for web interfaces, most of the Linux firewalls I've used (especially
> Shorewall, my favorite) have no web interface. I really don't want
> someone managing my firewall who requires a web interface. I also like
> to version control my firewall configs and back them up within my normal
> backup infrastructure which most web interfaces cannot handle.
>
> This comment makes me think you are the only 'security person' in your
organization.  I work for a security team.  I'm just one part of that team
and we run lots of firewalls.  And the biggest issue with having a large
number of firewalls with a big team is management.  I care that I can manage
them all from a central interface, that I can manage who does changes, that
I can audit changes, and back out changes when needed.  Also - passing
audits is easier (not that's a security concern - but it is a time saver).
We have a lot of different people playing in this environment and need tools
robust enough to deal with that.


> > I asked guys on LinkedIn (having to admit LinkedIn security community
> > sucks big time, some sane people are still there :-) , if they still
> > have some interest in opensource firewall solutions. The short answer
> > was "NO". The long ones were:
> >
> > -- It is all about performance, we want as many Gbits per $ as
> > possible, so ASIC is only way
>
> The number of infrastructures that need firewalls which are transferring
> < 100Mb/s are far greater in number than those pulling > 1Gb/s.  Do all
> your LinkedIn pals work for Google, Facebook, etc? I have deployed lots
> of firewalls and only a few ever handled more than a few hundred
> megabits. The vast majority transfer at most on the order of single
> megabits. Yet some of these single-digit-Mb/s firewalls protect large
> numbers of credit card data and have serious security requirements.

Anyone who internally segments their network has high bandwidth
requirements.  I'm replacing a firewall right that has gig interfaces
because its dropping packets.  And I have never worked for a 'google'.


> > Protocol support is not that good, no common management interface and
>
> What protocols are we talking about here and what are we wanting to do
> with them?
>
> What is an example of a commercial product that has a common management
> interface? What other product is it in common with?

Which ones don't?  Checkpoint, Netscreen,  even Cisco PIX/ASAs has (ugh)
Ciscoworks.


> > not really ready for enterprise which is not full of geeks at all,
>
> I would think you would want to hire a geek to operate your firewall and
> other security infrastructure if security was important to you.

Like routers and switches - firewall management has become a commodity.  I
have no problem with a network team or "non-geeks" running our firewalls.  I
have no problem even outsourcing that function.   We have other controls in
place to evaluate changes to that environment.


> > management overhead and TCO are going to jump up beyond any reasonable
> > limit.
>
> Why?
>
> > OpenDLP is just a sad joke, running a bunch of regexps against your
> > data is not the thing to be called DLP.
>
> How do the commercial products do it?

The problem is management and in the case of DLP - updates of new signatures
and support of wide variety of systems.  As far as I can tell - OpenDLP
supports only Windows systems.  We need to monitor Oracle, DB2, messaging,
different types of end-points, e-mail, etc.  Support is also critical as
"non-geeks" are typically the ones keep track of violations (I certainly
don't want a "geek" doing that).


> > As I am still running the OpenFWTK project, I have to admit I get
> > little to *NO* support form Opensource community.
>
> I very rarely hear about openfwtk and I'm in the business. I know of
> very few companies who have deployed or want to run proxies. Most just
> stick with stateful packet filtering and maybe a squid/varnish proxy for
> http and call it a day. In order to have community support you have to
> have a community. There are 30 people in #shorewall on freenode.net and
> for nearly 10 years now there has always been someone to help out
> whenever I had an issue. The mailing list is quite active also. Tom
> Eastep does a fantastic job of running the project working with the
> community. openfwtk-devel at
> http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
> emails in the archive over years. And no IRC channel. It is barely
> visible at all on the net. You don't get community support if you have
> no community.
Traditional packet filtering firewall has become less important in the
overall security architecture.  We build 'security' into every part of the
application.  And we do run "proxies" but they are closer to the
application, usually contain custom code specific to the application, and
they perform a wide variety of tasks such as authentication, authorization,
validations of the request, etc.  No opensource products exist for this.  I
also need people who can support and write code to this platform and a
commercial solutions comes with it a built in ecosystem in which we can find
resources.

As for users - we shove them through their own commercial proxy.  We chose
to do so because of the ability to manage, reporting, and total cost of
ownership is less than putting in a bunch of squid proxies (which I've
personally installed many times).  And I include in the total cost of
ownership having to respond to malware incidents because opensource malware
tools aren't kept as up to date as commercial versions.


-- 
Tim Shea
tim () tshea net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards