Re: Proxies, opensource and the general market: what's wrong with us?

[david () lang hm]

On Tue, 26 Apr 2011, Timothy Shea wrote:

> On Mon, Apr 25, 2011 at 4:24 PM, Tracy Reed <treed () ultraviolet org> wrote:
>
> > On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
> >
> > I don't know what "functionally fit" means either.
> >
> > As for web interfaces, most of the Linux firewalls I've used (especially
> > Shorewall, my favorite) have no web interface. I really don't want
> > someone managing my firewall who requires a web interface. I also like
> > to version control my firewall configs and back them up within my normal
> > backup infrastructure which most web interfaces cannot handle.
> >
> > This comment makes me think you are the only 'security person' in your
> organization.  I work for a security team.  I'm just one part of that team
> and we run lots of firewalls.  And the biggest issue with having a large
> number of firewalls with a big team is management.  I care that I can manage
> them all from a central interface, that I can manage who does changes, that
> I can audit changes, and back out changes when needed.  Also - passing
> audits is easier (not that's a security concern - but it is a time saver).
> We have a lot of different people playing in this environment and need tools
> robust enough to deal with that.

I work in a company where there are a lot of people involved. I also 
strongly prefer having config files and command line tools rather than web 
interfaces.

config files and command line tools are _far_ easier to automate, and 
automation does far more to reduce errors than having a web interface.

> > > I asked guys on LinkedIn (having to admit LinkedIn security community
> > > sucks big time, some sane people are still there :-) , if they still
> > > have some interest in opensource firewall solutions. The short answer
> > > was "NO". The long ones were:
> > >
> > > -- It is all about performance, we want as many Gbits per $ as
> > > possible, so ASIC is only way
> >
> > The number of infrastructures that need firewalls which are transferring
> > < 100Mb/s are far greater in number than those pulling > 1Gb/s.  Do all
> > your LinkedIn pals work for Google, Facebook, etc? I have deployed lots
> > of firewalls and only a few ever handled more than a few hundred
> > megabits. The vast majority transfer at most on the order of single
> > megabits. Yet some of these single-digit-Mb/s firewalls protect large
> > numbers of credit card data and have serious security requirements.
>
> Anyone who internally segments their network has high bandwidth
> requirements.  I'm replacing a firewall right that has gig interfaces
> because its dropping packets.  And I have never worked for a 'google'.

I have a network that is highly segmented internally. I also do most of 
the segmentation with proxies (including a few of the old FWTK proxies), I 
very seldom find that there are really problems with bandwidth on the 
network. I've had many cases where people argued that we couldn't put the 
proxies in place because they would cause unacceptable performance 
problems, and every time that I have challenged them to measure before and 
after performance of their application, the difference has been in the 
noise.

David Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards