Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: david () lang hm
Date: Wed, 27 Apr 2011 11:15:14 -0700 (PDT)
On Tue, 26 Apr 2011, Timothy Shea wrote:
On Mon, Apr 25, 2011 at 4:24 PM, Tracy Reed <treed () ultraviolet org> wrote:On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly: I don't know what "functionally fit" means either. As for web interfaces, most of the Linux firewalls I've used (especially Shorewall, my favorite) have no web interface. I really don't want someone managing my firewall who requires a web interface. I also like to version control my firewall configs and back them up within my normal backup infrastructure which most web interfaces cannot handle. This comment makes me think you are the only 'security person' in yourorganization. I work for a security team. I'm just one part of that team and we run lots of firewalls. And the biggest issue with having a large number of firewalls with a big team is management. I care that I can manage them all from a central interface, that I can manage who does changes, that I can audit changes, and back out changes when needed. Also - passing audits is easier (not that's a security concern - but it is a time saver). We have a lot of different people playing in this environment and need tools robust enough to deal with that.
I work in a company where there are a lot of people involved. I also strongly prefer having config files and command line tools rather than web interfaces.
config files and command line tools are _far_ easier to automate, and automation does far more to reduce errors than having a web interface.
I asked guys on LinkedIn (having to admit LinkedIn security community sucks big time, some sane people are still there :-) , if they still have some interest in opensource firewall solutions. The short answer was "NO". The long ones were: -- It is all about performance, we want as many Gbits per $ as possible, so ASIC is only wayThe number of infrastructures that need firewalls which are transferring < 100Mb/s are far greater in number than those pulling > 1Gb/s. Do all your LinkedIn pals work for Google, Facebook, etc? I have deployed lots of firewalls and only a few ever handled more than a few hundred megabits. The vast majority transfer at most on the order of single megabits. Yet some of these single-digit-Mb/s firewalls protect large numbers of credit card data and have serious security requirements.Anyone who internally segments their network has high bandwidth requirements. I'm replacing a firewall right that has gig interfaces because its dropping packets. And I have never worked for a 'google'.
I have a network that is highly segmented internally. I also do most of the segmentation with proxies (including a few of the old FWTK proxies), I very seldom find that there are really problems with bandwidth on the network. I've had many cases where people argued that we couldn't put the proxies in place because they would cause unacceptable performance problems, and every time that I have challenged them to measure before and after performance of their application, the difference has been in the noise.
David Lang
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)