Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?



On Tue, 26 Apr 2011, ArkanoiD wrote:

On Tue, Apr 26, 2011 at 10:03:04AM +0200, Magos?nyi ?rp?d wrote:

3. Actually using real firewalls meaningfully needs a level of maturity
which very few enterprises possess.
a) As we all know, the firewall operator is the one who should chase
down programming bugs at the end of the day simply because s/he is in
the position to see all parts of the puzzle. It is a big burden, and
easier just to allow anything through than make a real solution. And the
one who should solve the problem is not the firewall operator. You need
a very strong exception management procedure to handle only that aspect
(ITIL as used today is just not enough for this). And we were talking
about only simple breaches of the protocol. It happens everywhere, the
http proxy to the outer world is being a prominent example of how
impossible this mission could get.

There are some right things happening, though. I see many firewalls are now
capable of dealing with http based appliactions quite complex ways.
Looks like FOSS is lagging behind again (except WAF part) :-(

[...]

the GPL side. Because open source is about community, and reaching
critical mass is very hard, especially if you come with a nich? product
aimed at the enterprise. This is a feat neither FWTK nor Zorp have been
able to reach.

Quite amazing, but fwtk (old TIS once) was there once. But it was 15 years ago :-(
Easy to use "firewall-oriented" Unix toolboxes like Smoothwall, Shorewall, IPCop, m0n0wall etc
have reached that quite easy, but they are not really "aimed at the enterprise",
they are aimed to be user-friendly at low end/soho. I was referring to it as "cheapo crap",
well, it sounds too rude, but it was just intended to describe this positioning.

Maybe I should start with designing simple kick-start tools for newbies? Will it help?

the biggest problem is that newbies don't realize they need this sort of thing. they keep hearing the mantra that a firewall is just a packet filter (possibly with 'deep packet inspection' and that the firewall should _not_ be doing anything else, anything else is the job of a separate box, be it a WAF (which they don't think is a firewall, even though the F stands for firewall), IPS, or XML filter.

[...]

6. The world is changing. This means that new buzzwords coming up,
followed dutifully by the market. Fortunately new buzzwords usually mean
the same old things. Those ideas which have been too immature 20 years
ago, reemerge later in a different name and shape. You are looking for
application level firewall? Look at "xml firewall" and "SOA firewall".
They are out there. Yes, they are specialized into a very tiny subset of
the problem space (and the rest is still uncovered), but maybe that is
the most important part anyway.

XML/SOA firewalls were expected to have great future, but they are useless unless you
have detailed system design documents with data flow described in the tiniest details and
you are ready to spend about 10% of resources (or even more) used to implement the system
itself on security related issues.

In real world it means "almost never".

Some enterprises buy it anyways, because "XML firewall" sounds cool.

even for WAF, IPS, and XML filters, there is the huge problem of figuring out how what to configure them to allow. What's needed is tools that can look at samples of 'good' traffic and create the rules to match (and do it in such a way that the rules learned from dev/QA can be easily used in production rather than having to learn what's 'normal' in an environment where hostile traffic is common)

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards