Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

Robert A Beken wrote:
I have a question for the group about this new trend of using a single
firewall for all IDS and Firewall related tasks in an integrated box for
enterprise organizations (not SOHO). I personally think it's a bad idea
and lacks flexibility in configuration and "defense in depth" posture
towards security. What are other people's thoughts?

I think it's going to happen no matter what anyone wants. Because
the security market is consolidating into 2 types of companies:
- single solution VC-backed start-ups chasing the hot topic du jour
- huge mega corporations that don't actually develop anything and
simply buy and integrate technologies to a greater or lesser

My guess is that that VCs would split a rib laughing if someone came
to them with a business plan for a new firewall company. :) So the
funding for the established security technologies is going to dry up
which means that the big companies have commoditized it and
the standalone players have to either sell out or go out of business.
Basically, 'best of breed' only survives in a market that has not
stabilized yet, and security has stabilized to the point where, basically,
it's just marketing weasels coming up with cool new names for proxies,
packet filtering, and signature matching.

I agree with you that best of breed and defense in depth make a great
deal of sense but the commercial security market will likely not supporta
vibrant vendor-base much longer. Indeed, my guess is that security,
as a market separate from network infrastructure/management and
system administration is not likely to last another 10 years. If you
look at the current trends, it may even happen that the security market
will be mostly gone in 5. Once the big players have absorbed enough
basic security features they'll be able to suck the oxygen away from the
remaining small players by offering those features as freebie option-ons
and it's "game over, man."

By the way, NONE of this will result in the end users having usable
and effective security. Remember, the security market does not exist
to provide security; it exists for itself. When it's a dried-out husk the
game will move someplace else and you'll STILL have insecure


firewall-wizards mailing list