Re: Proxies, opensource and the general market: what's wrong with us?

[ArkanoiD <ark () eltex net>]

On Tue, Apr 26, 2011 at 12:25:37AM -0700, Tracy Reed wrote:
> Even "inconsistent code" is rather nebulous. Does it all have to be written by
> the same person? In the same style? Same language? What?
>
> Googling for "openfwtk api" produces references to the fwtk API in websites
> talking about openfwtk. Googling for "fwtk api" produces references to OpenFWTK
> saying stuff like "OpenFWTK is an application proxy toolkit which inherits the
> ideology of TIS fwtk and maintains API backwards compatibility." What is the
> OpenFWTK API?

A set of functions and data structures that provide access to common configuration,
authentication, logging and (to some extent) data processing mechanisms.

Wasn't it clear enough?

> when someone calls a packet filter a firewall. It just seems like pointless
> snobbery.
>
> > Shorewall is just packet filter configuration frontend.
>
> Indeed it is. And the PCI SSC considers this packet filter a firewall which
> makes card data more secure. And that's just what I need to make my clients
> happy.

(shrugs) if that's enough for you, I doubt reading this list provides any value in this context :-)

> > We do. Say, dealing with webmail *exactly* the same way as "classic" email
> > protocols is a must these days. 
>
> You propose that a firewall should be able to MITM the https stream of gmail,
> parse the HTML/Javascript coming from gmail (wouldn't you have to even execute
> the Javascript and possibly run into the Halting problem etc?) and...do what
> with it? And if gmail changes their code? And you expect a firewall to do this
> for every webmail implementation? That does not seem reasonable.

It may sound "reasonable" or not, it is sane requirement. Sane in some customer point of
view, like in "I do not care about your technical problems, I just pay the money to someone
who stops whining and gets the job done. If there is more than one, ok, I agree to listen to
some tech talk about how do you do it better than others".

> > "Common" means you may build a feature rich system using components you need.
> > It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.
>
> "no common management interface" and "common means you may build a feature rich
> system using components you need"? I'm just not following.

You do not really see a difference between Shorewall and, sorry for the buzzword, "enterprise ready system"
which includes firewalls, filtering routers (ah, sorry, those two are the same for you), IDS, endpoint security
solutions, DLP components, security information management systems, reporting tools etc etc any "big name" may
provide?

> Googling for "firewall data normalization" or "DLP data normalization" does not
> produce anything useful. 
>
> "data loss prevention ocr" turns up http://www.codegreennetworks.com/index.htm
> but only because OCR stands for the Office for Civil Rights which is apparently
> the part of the US govt that enforces HIPAA. And that DLP box looks less like a
> firewall than an appliance which sits on a span/mirror port and sniffs traffic
> and applies matching and parsing rules.
>
> In short, it's hard to tell what any of this really means, whether anyone is
> really producing software that does much of this stuff, or whether anyone is
> really asking for it, and whether it isn't all just marketing BS in an industry
> infamously rife with such BS.

(shrugs) we have a solution here that does it all. Don't think there is a problem you cannot
google it out.

> So that explains the problem that FWTK and presumably by extension OpenFWTK is
> trying to solve. DARPA identified the problem in 1993 but nobody else seems to
> have picked up on it or care much in 2011. PCI DSS is my area of focus and
> nobody is pushing the filtering of protocol content, just packets. 

Damn fscking sure. Compliance is a "totally different thing".
(I "do some PCI DSS" as well, but cannot even imagine it as "are of focus", it is damn boring.
Well, writing new standards may be fun, but "just following" is not :-).

> This is where something like OpenFWTK might might be useful but it seems like
> Apache mod_security and its commercial variant have this market well serviced.
> And even then, when a web application spews sensitive information via SQL
> injection it usually does so without ever violating the HTTP protocol. In 1993
> the big threat was buffer overflow exploits where your HTTP server might
> suddenly serve up a root shell on the tcp connection. That seems to be what
> DARPA was trying to stop. That problem has been mitigated more or less.
> Enforcing HTTP protocol (et al) may still be valuable but it does not protect
> us from the biggest threats of today. 

Damn sure, for http-driven attacks protocol-level threats are almost non-issue (except
a few SSL ones). It does not mean there is no job for an application proxy, though.

> There is where DLP etc. come in,
> apparently.

Not here, DLP is not designed to do that.

> > Exactly how am i expected to get the community?
>
> What problem are you trying to solve? Is it really a problem anyone needs
> solved? You sure you aren't solving DARPA's problem of 1993? 

Yes.

> Shorewall solves
> the problem I and many others have to solve. Very few people need many of the
> features which you have mentioned. Those who do need such things probably have
> tons of money and are in corporate CYA environments where they want someone to
> blame when things go wrong so they will want commercial support. DLP and the
> many other fancy features mentioned are covered by the big guys and small shops
> don't need/care for it. For all these reasons it is hard to identify who might
> be potential members of your OpenFWTK community.

"Someone to blame" is a good point (not someone to be responsible or to solve the problem :-)

Well, I just wonder why there is almost no one who is willing to try the same things "for free".

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards