Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Tracy Reed <treed () ultraviolet org>
Date: Tue, 26 Apr 2011 00:25:37 -0700
On Tue, Apr 26, 2011 at 04:49:51AM +0400, ArkanoiD spake thusly:
A "framework" means it is not just a bunch of inconsistent code. API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does. A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else, despite the fact it can do "more".
Even "inconsistent code" is rather nebulous. Does it all have to be written by the same person? In the same style? Same language? What? Googling for "openfwtk api" produces references to the fwtk API in websites talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK saying stuff like "OpenFWTK is an application proxy toolkit which inherits the ideology of TIS fwtk and maintains API backwards compatibility." What is the OpenFWTK API? Googling for "firewall API" turns up a bunch of stuff about the Windows XP firewall API. "cisco pix api" turns up nothing relevant. "barracuda firewall api" turns up "The Barracuda Spam Firewall API is a set of six CGI scripts that can be accessed to administer the Barracuda in a remote manner." CGIs? Well, Barracuda isn't exactly high end. Googling for "websense firewall api" doesn't turn up anything although a search for "firewall endpoint data discovery" (one of the high end features you mention below) turns up links to websense stuff. RSA DLP Endpoint looks like it might be more along the lines of what you are talking about but it isn't a firewall at all. It looks like an agent that runs on the workstation. I understand packet filters and proxies to be firewalls. A lot of the rest of the stuff (DLP, endpoint discovery, OCR, etc. etc.) seem like separate pieces of software. Security related, sure, but not firewalls.
Depends on what you mean by "real". I know tons of people look at the Linux firewall code.You mean packet filter code? :-)
Yes. Here we have a problem somewhat like the classical meaning of "hacker" vs the common meaning of "hacker". And this firewall vs packet filter debate may not even have that much legitimacy. I can find a number of people who still subscribe to the classical idea of a hacker but a few of the denizens of this mailing list are the only ones I know of who insist on issuing a correction when someone calls a packet filter a firewall. It just seems like pointless snobbery.
Shorewall is just packet filter configuration frontend.
Indeed it is. And the PCI SSC considers this packet filter a firewall which makes card data more secure. And that's just what I need to make my clients happy.
We do. Say, dealing with webmail *exactly* the same way as "classic" email protocols is a must these days.
You propose that a firewall should be able to MITM the https stream of gmail, parse the HTML/Javascript coming from gmail (wouldn't you have to even execute the Javascript and possibly run into the Halting problem etc?) and...do what with it? And if gmail changes their code? And you expect a firewall to do this for every webmail implementation? That does not seem reasonable.
Protocol support is not that good, no common management interface andWhat protocols are we talking about here and what are we wanting to do with them? What is an example of a commercial product that has a common management interface? What other product is it in common with?"Common" means you may build a feature rich system using components you need. It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.
"no common management interface" and "common means you may build a feature rich system using components you need"? I'm just not following.
OpenDLP is just a sad joke, running a bunch of regexps against your data is not the thing to be called DLP.How do the commercial products do it?Lots of pretty complicated ways, including endpoint data discovery, digital fingerprinting, data normalization, on-the-fly ocr and stuff.
Googling for "firewall data normalization" or "DLP data normalization" does not produce anything useful. "data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm but only because OCR stands for the Office for Civil Rights which is apparently the part of the US govt that enforces HIPAA. And that DLP box looks less like a firewall than an appliance which sits on a span/mirror port and sniffs traffic and applies matching and parsing rules. In short, it's hard to tell what any of this really means, whether anyone is really producing software that does much of this stuff, or whether anyone is really asking for it, and whether it isn't all just marketing BS in an industry infamously rife with such BS. I vaguely remember when fwtk was first released back in 1993. Network Security JumpStart (via Google Books) says: "FWTK was created for the Defense Advanced Research Projects Agency (DARPA) by Trusted Information Systems (TIS) when DARPA realized that no packet filter would be secure enough to filter protocol content." So that explains the problem that FWTK and presumably by extension OpenFWTK is trying to solve. DARPA identified the problem in 1993 but nobody else seems to have picked up on it or care much in 2011. PCI DSS is my area of focus and nobody is pushing the filtering of protocol content, just packets. The closest thing I am aware of is PCI DSS requirement 6.6. The goal of 6.6 is to prevent SQL injections etc. from leaking payment card data and it only applies to those requiring compliance with SAQ-D who store payment account numbers. That is the minority of e-commerce shops...I hope! 6.6 gives you the option of doing source code reviews of the externally facing web applications or implementing a web application firewall. This is where something like OpenFWTK might might be useful but it seems like Apache mod_security and its commercial variant have this market well serviced. And even then, when a web application spews sensitive information via SQL injection it usually does so without ever violating the HTTP protocol. In 1993 the big threat was buffer overflow exploits where your HTTP server might suddenly serve up a root shell on the tcp connection. That seems to be what DARPA was trying to stop. That problem has been mitigated more or less. Enforcing HTTP protocol (et al) may still be valuable but it does not protect us from the biggest threats of today. There is where DLP etc. come in, apparently.
Exactly how am i expected to get the community?
What problem are you trying to solve? Is it really a problem anyone needs solved? You sure you aren't solving DARPA's problem of 1993? Shorewall solves the problem I and many others have to solve. Very few people need many of the features which you have mentioned. Those who do need such things probably have tons of money and are in corporate CYA environments where they want someone to blame when things go wrong so they will want commercial support. DLP and the many other fancy features mentioned are covered by the big guys and small shops don't need/care for it. For all these reasons it is hard to identify who might be potential members of your OpenFWTK community. -- Tracy Reed
Attachment:
_bin
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Marcus J. Ranum (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)