Re: Proxies, opensource and the general market: what's wrong with us?

["Fetch, Brandon" <bfetch () tpg com>]

(Top-post - BAH, get over it.  :) )

Catching up on the thread belies what (I think) are a few themes we're discussing:
1. Acceptance (and extension usage) of OSS products in the enterprise
2. The comparative advancement of these OSS products relative to the commercial ones (feature creep/bloat)
3. Usability & application of each product type (OSS vs. commercial)

Acceptance:
I can say from my experience in both a Big-4 and my current employer (check the from field), there's a tendency to 
always have a "throat to choke".  Part of this (I'm hopeful) is based on team preservation (I'd rather we blame an 
outside vendor than the employee directly) but I'd bet it's more akin to CYA than anything else.

Cliché yes, but "No one's ever been fired for buying IBM..."

Advancement:
As with all commercial products, there's always a need to "build the better mousetrap" and to remain above your 
competitors regardless if the feature is needed/used/implemented.  This compares favorably with OSS products in that 
there's no time (or code) wasted in implementing or supporting these ancillary (and entirely tangential sometimes) 
features.

Even though you're not matching "checkbox for checkbox" with commercial products you're bound to have a better 
performing product that's focused on what you're using it for.

Usability & application:
This goes back to advancement in that the more complicated products you're using the greater likelihood you have of 
royally screwing things up(tm).  Though I've not used OSS products extensively in production environments, my 
experience has been they do have a tendency to adhere to the more geeky of users and won't give you a pretty face to 
interact with.  A lot of times this suits the ultimate end-user just fine but when you're dealing with corporate 
segmentation of duties (which is definitely more prevalent in bigger companies) you may be stuck with the pretty GUI 
vs. a CLI.

I'll touch on application just a bit by rolling back the discussion to the root design of "your" network.  If you're 
running an entirely flat network with huge broadcast domains everywhere and minimal segmentation then yes, I can see 
how folks will need these types of commercial products that can do tens of gigabits worth of performance.  However, 
with proper segmentation (and requisite understanding) of your data flows you can not only reduce the total utilization 
of individual devices & ports but you also gain the capability to apply controls at each of these points as well.  

Oh, and you can use a lot of these OSS products as the controls running on commodity hardware with (reasonably) no (or 
minimal) ill affects.

I don't recall who did it from the replies but someone implemented proxy controls at choke points internally within 
their network.  The stakeholders of these now proxied services were crying foul yet they could not prove with metrics 
there was any impact to their applications.

This is what a fully segmented network gets you: improved performance with control.  Whether that control takes the 
form of L3/4 ACLs on your routing/switching gear or if it means putting a proxy in front of suspect services you now 
have that capability and can do so in an optimum fashion.

I'd much rather sit down and spend the time to re-purpose some 3 year old servers with a multi-port NICs to run 
distributed Snort than spend $50k/year for the next 3 years on installing a "flow aware" IPS.  But in this case my 
employer deems that cost an appropriate trade-off relative to my expense in time lost developing the OSS design.  I'm 
not the one making these decisions but I wouldn't be a good conservator of my company's ward if I were to only make the 
Snort recommendation.

Coming from a "corporate security weenie" I can say businesses predominantly like "solutions", checkboxes, and throats 
to choke but unfortunately a lot of times OSS products can only give us 2 of those 3.

Sorry for the long (and top-posted) reply.
Brandon

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of ArkanoiD
Sent: Sunday, April 24, 2011 1:28 PM
To: firewall-wizards () listserv cybertrust com
Subject: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?

In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.

Now both are either extinct or forced to an ulgy low end (for opensource, it usually means having no
security-centric framework, no common API, no real code review -- just a bunch of "functionally fit"
free things installed on a linux box with some simple web interface). For proxy firewalls the future is
even more questionable. Multiple state-of-the-art technology leaders were merging (quite obviously being
unable to stay competitive with cheapo crap) until there was only One left.. SC, later bought by McAfee.
And now McAfee is owned by Intel and it seems to show no interest in high end firewall solutions at all,
they seem to think they just bought an "antivirus company".

I asked guys on LinkedIn (having to admit LinkedIn security community sucks big time, some sane people are still there 
:-)
, if they still have some interest in opensource firewall solutions. The short answer
was "NO". The long ones were:

-- It is all about performance, we want as many Gbits per $ as possible, so ASIC is only way

-- It is all about features and support, no free solution fits.


And the second point seems to be pretty valid. We have *NO* product that is a match for current "market leaders".
It does not mean it is impossible: it is quite obviously possible, but we still do not have it.

You may take OpenFWTK, Prelude, Snort, ClamAV, some unix of you choice and.. still not get really the same.
Protocol support is not that good, no common management interface and not really ready for enterprise which 
is not full of geeks at all, management overhead and TCO are going to jump up beyond any reasonable limit.

OpenDLP is just a sad joke, running a bunch of regexps against your data is not the thing to be called DLP.

As I am still running the OpenFWTK project, I have to admit I get little to *NO* support form Opensource community.
The single reason the project is still alive is occasional donations and paid feature requests from *commercial* 
vendors who
use some OpenFWTK components in their products. Maybe once a year or two I receive a bug report or even a patch or some 
half-baked 
piece of documentation. I appreciate that, but most of the times I never hear from those people again.
Despite that, Sourceforge shows several downloads/checkouts daily, but the feedback is close to zero. Once I googled for
OpenFWTK I found some japanese site with patches they did not bother even to send me, and there was no contact email and
no way to send them any questions as comment form was protected with captcha in japanese!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards