Re: Proxies, opensource and the general market: what's wrong with us?

[Tracy Reed <treed () ultraviolet org>]

On Tue, Apr 26, 2011 at 04:49:51AM +0400, ArkanoiD spake thusly:
> A "framework" means it is not just a bunch of inconsistent code.
> API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does.
> A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else,
> despite the fact it can do "more".

Even "inconsistent code" is rather nebulous. Does it all have to be written by
the same person? In the same style? Same language? What?

Googling for "openfwtk api" produces references to the fwtk API in websites
talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK
saying stuff like "OpenFWTK is an application proxy toolkit which inherits the
ideology of TIS fwtk and maintains API backwards compatibility." What is the
OpenFWTK API?

Googling for "firewall API" turns up a bunch of stuff about the Windows XP
firewall API. "cisco pix api" turns up nothing relevant. "barracuda firewall
api" turns up "The Barracuda Spam Firewall API is a set of six CGI scripts that
can be accessed to administer the Barracuda in a remote manner." CGIs? Well,
Barracuda isn't exactly high end. Googling for "websense firewall api" doesn't
turn up anything although a search for "firewall endpoint data discovery" (one
of the high end features you mention below) turns up links to websense stuff.

RSA DLP Endpoint looks like it might be more along the lines of what you are
talking about but it isn't a firewall at all. It looks like an agent that runs
on the workstation.

I understand packet filters and proxies to be firewalls. A lot of the rest of
the stuff (DLP, endpoint discovery, OCR, etc. etc.) seem like separate pieces
of software. Security related, sure, but not firewalls.

> > Depends on what you mean by "real". I know tons of people look at the
> > Linux firewall code.
>
> You mean packet filter code? :-)

Yes. Here we have a problem somewhat like the classical meaning of "hacker" vs
the common meaning of "hacker". And this firewall vs packet filter debate may
not even have that much legitimacy. I can find a number of people who still
subscribe to the classical idea of a hacker but a few of the denizens of this
mailing list are the only ones I know of who insist on issuing a correction
when someone calls a packet filter a firewall. It just seems like pointless
snobbery.

> Shorewall is just packet filter configuration frontend.

Indeed it is. And the PCI SSC considers this packet filter a firewall which
makes card data more secure. And that's just what I need to make my clients
happy.

> We do. Say, dealing with webmail *exactly* the same way as "classic" email
> protocols is a must these days. 

You propose that a firewall should be able to MITM the https stream of gmail,
parse the HTML/Javascript coming from gmail (wouldn't you have to even execute
the Javascript and possibly run into the Halting problem etc?) and...do what
with it? And if gmail changes their code? And you expect a firewall to do this
for every webmail implementation? That does not seem reasonable.

> > > Protocol support is not that good, no common management interface and
> >
> > What protocols are we talking about here and what are we wanting to do
> > with them?
> >
> > What is an example of a commercial product that has a common management
> > interface? What other product is it in common with?
>
> "Common" means you may build a feature rich system using components you need.
> It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.

"no common management interface" and "common means you may build a feature rich
system using components you need"? I'm just not following.

> > > OpenDLP is just a sad joke, running a bunch of regexps against your
> > > data is not the thing to be called DLP.
> >
> > How do the commercial products do it?
>
> Lots of pretty complicated ways, including endpoint data discovery, digital
> fingerprinting, data normalization, on-the-fly ocr and stuff.

Googling for "firewall data normalization" or "DLP data normalization" does not
produce anything useful. 

"data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm
but only because OCR stands for the Office for Civil Rights which is apparently
the part of the US govt that enforces HIPAA. And that DLP box looks less like a
firewall than an appliance which sits on a span/mirror port and sniffs traffic
and applies matching and parsing rules.

In short, it's hard to tell what any of this really means, whether anyone is
really producing software that does much of this stuff, or whether anyone is
really asking for it, and whether it isn't all just marketing BS in an industry
infamously rife with such BS.

I vaguely remember when fwtk was first released back in 1993. Network Security
JumpStart (via Google Books) says: "FWTK was created for the Defense Advanced
Research Projects Agency (DARPA) by Trusted Information Systems (TIS) when
DARPA realized that no packet filter would be secure enough to filter protocol
content."

So that explains the problem that FWTK and presumably by extension OpenFWTK is
trying to solve. DARPA identified the problem in 1993 but nobody else seems to
have picked up on it or care much in 2011. PCI DSS is my area of focus and
nobody is pushing the filtering of protocol content, just packets. 

The closest thing I am aware of is PCI DSS requirement 6.6. The goal of 6.6 is
to prevent SQL injections etc. from leaking payment card data and it only
applies to those requiring compliance with SAQ-D who store payment account
numbers. That is the minority of e-commerce shops...I hope! 6.6 gives you the
option of doing source code reviews of the externally facing web applications
or implementing a web application firewall. 

This is where something like OpenFWTK might might be useful but it seems like
Apache mod_security and its commercial variant have this market well serviced.
And even then, when a web application spews sensitive information via SQL
injection it usually does so without ever violating the HTTP protocol. In 1993
the big threat was buffer overflow exploits where your HTTP server might
suddenly serve up a root shell on the tcp connection. That seems to be what
DARPA was trying to stop. That problem has been mitigated more or less.
Enforcing HTTP protocol (et al) may still be valuable but it does not protect
us from the biggest threats of today. There is where DLP etc. come in,
apparently.

> Exactly how am i expected to get the community?

What problem are you trying to solve? Is it really a problem anyone needs
solved? You sure you aren't solving DARPA's problem of 1993? Shorewall solves
the problem I and many others have to solve. Very few people need many of the
features which you have mentioned. Those who do need such things probably have
tons of money and are in corporate CYA environments where they want someone to
blame when things go wrong so they will want commercial support. DLP and the
many other fancy features mentioned are covered by the big guys and small shops
don't need/care for it. For all these reasons it is hard to identify who might
be potential members of your OpenFWTK community.

-- 
Tracy Reed

Attachment: _bin
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards