Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?



On Mon, Apr 25, 2011 at 02:24:04PM -0700, Tracy Reed wrote:
On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
Now both are either extinct or forced to an ulgy low end (for
opensource,

it usually means having no security-centric framework,

What does this mean?

no common API,

How would a firewall API work and what would it do? What does "common"
mean in this context? Same API across multiple different firewall
vendors?

A "framework" means it is not just a bunch of inconsistent code.
API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does.
A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else,
despite the fact it can do "more".


no real code review

Depends on what you mean by "real". I know tons of people look at the
Linux firewall code.

You mean packet filter code? :-)


-- just a bunch of "functionally fit" free things installed on a linux
box with some simple web interface).

I don't know what "functionally fit" means either.

See above.

As for web interfaces, most of the Linux firewalls I've used (especially
Shorewall, my favorite) have no web interface. I really don't want
someone managing my firewall who requires a web interface. I also like
to version control my firewall configs and back them up within my normal
backup infrastructure which most web interfaces cannot handle.

Shorewall is just packet filter configuration frontend.

-- It is all about features and support, no free solution fits.

I can understand a company wanting support for their firewall. Support
costs someone's time and that quite fairly costs money.

As for features, what features are the real sticking points here? Are we
just comparing bullet lists or do you really *need* certain features
which are lacking?


We do. Say, dealing with webmail *exactly* the same way as "classic" email protocols is a must these
days.

Protocol support is not that good, no common management interface and

What protocols are we talking about here and what are we wanting to do
with them?

What is an example of a commercial product that has a common management
interface? What other product is it in common with?

"Common" means you may build a feature rich system using components you need.
It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.

not really ready for enterprise which is not full of geeks at all,

I would think you would want to hire a geek to operate your firewall and
other security infrastructure if security was important to you.

management overhead and TCO are going to jump up beyond any reasonable
limit.

Why?

OpenDLP is just a sad joke, running a bunch of regexps against your
data is not the thing to be called DLP.

How do the commercial products do it?

Lots of pretty complicated ways, including endpoint data discovery, digital fingerprinting, data normalization, on-the-fly ocr and stuff.


As I am still running the OpenFWTK project, I have to admit I get
little to *NO* support form Opensource community.

I very rarely hear about openfwtk and I'm in the business. I know of
very few companies who have deployed or want to run proxies. Most just
stick with stateful packet filtering and maybe a squid/varnish proxy for
http and call it a day. In order to have community support you have to
have a community. There are 30 people in #shorewall on freenode.net and
for nearly 10 years now there has always been someone to help out
whenever I had an issue. The mailing list is quite active also. Tom
Eastep does a fantastic job of running the project working with the
community. openfwtk-devel at
http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
emails in the archive over years. And no IRC channel. It is barely
visible at all on the net. You don't get community support if you have
no community.

Exactly how am i expected to get the community?



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • cant print after changing IP and hostname
    ... *** Receive NO snmp response! ... Either incorrect GET community name, ... A web search for this shows that this is often a firewall issue, ... And we can ping and telnet to the printer and port ...
    (SunManagers)
  • Re: dangerous advice?
    ... that Dave is a highly reputable and respected figure in this community. ... | David H. Lipman wrote: ... | You say to turn off my firewall, and then to run your program on my ...
    (microsoft.public.security)
  • Re: Vista MC Error Code 13
    ... community support, no support from MS or anything. ... Never seen such a poor response from a community as I have with Vista MC. ... My understanding of the Code 13 error is that it's essentially a firewall issue, and revolves around the way Microsoft is testing the Internet connection.There seem to be a variety of methods it can use for this. ... These commands run from an elevated command prompt on Vista should enable you to do that ...
    (microsoft.public.windows.mediacenter)
  • Re: Vista MC Error Code 13
    ... community support, no support from MS or anything. ... Never seen such a poor response from a community as I have with Vista MC. ... My understanding of the Code 13 error is that it's essentially a firewall issue, and revolves around the way Microsoft is testing the Internet connection.There seem to be a variety of methods it can use for this. ... These commands run from an elevated command prompt on Vista should enable you to do that ...
    (microsoft.public.windows.mediacenter)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)