Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxies, opensource and the general market: what's wrong with us?

From: David Lang <david () lang hm>
Date: Wed, 27 Apr 2011 13:52:48 -0700
On Tue, 26 Apr 2011 10:51:35 +0200, Claudio Telmon wrote:

On 04/24/2011 07:27 PM, ArkanoiD wrote:
In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market. 

Hi,
proxy firewalls are almost dead also as closed source products. They
lack the flexibility needed for dealing with new protocols, especially those based on UDP which are much more common now. IMHO this is exactly why as fwtk died, not many cared about openfwtk. Currently, for what I 
can see, there are almost only reverse proxies, almost nobody puts
proxies in front of the Internet.
however, as proxy firewalls are dieing, new devices with the type of checking that proxies do are becoming more common.
doing the checking with a proxy listening to a specific port should be significantly easier thatn checking for all protocols on all connections passing through the devices.
unfortunantly maintaining this sort of checking requires a _lot_ of work.
opensource projects work when they hit the point of becoming 'good enough' for people to use, at which point they really start to gain momentum as all the different people start to work to add the 'one extra feature that I want' to the base.
open projects implementing proxies have a really hard time here, because most people have bought into the marketing that all a firewall should be is a packet filter, so proxies aren't going to be used by anyone who can just use a packet filter, and the available proxies don't do a lot of things that the commercial tools do, so the gap where someone has decided that packet filters are not good enough, and where they need features that only the commercial tools offer is pretty narrow.
I think there is some room for a HTTP or XML firewall checker to be implemented and satisfy a lot of needs (technical needs that is, when management makes a decision that "all firewalls are going to be Cisco" or even "all firewalls must be commercial appliances" that trumps all technical issues), but right now I am not aware of any free tools in these spaces, completely ignoring the 'learning modes' of many of the commercial offerings.
When a new project is supposed to be a replacement for an existing tool, it needs to be able to do, if not everything that the old project could do, at least the subset of features that the old project did that users need.
openfwtk hasn't hit this yet for me as the key thing that I use FWTK for is the authenticated proxies and the last I checked it doesn't have an authsrv equivalent (or the ability for it's proxies to tie in to an authentication source). openfwtk also isn't the complete solution that Arknoid painted it to be, for many things it just says 'use tool X', which is a good thing to avoid re-inventing the wheel, but it doesn't result in the firewall API that he is looking for. 

David Lang

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: