Re: [fwd] Firewall Products: Many Not Ready For Prime Time,

[David Bonn <David.Bonn () watchguard com>]

> > > > > "Chris" == Christopher Nicholls <chrisn () softway com au> writes:
> > > > > "Jody" wrote:

Jody> I refer to this as the Mojo Bag Theory of Firewall Purchase. The
Jody> idea is that you buy one and just having it keeps away the evil eye. :-)
Jody> (Burning incense in front of the firewall may or may not be a "best
Jody> practice", depending on the particular shaman, er, consultant, that you
Jody> call in to do the eval.)

Chris> I couldn't agree more. Further, I think one of the most alarming
Chris> trends developing is the movement towards "shrink-wrap firewalls" -
Chris> buy now pay later! If ever there was an item not to be bought
Chris> off-the-shelf, it's security. Maybe one day we will be able to use
Chris> self configuring f/w "..yessiree, just plug in your security policy
Chris> here Mr Customer... you don't have one? Never mind - use our default
Chris> virtual policy!". Sounds a bit like the beginnings of a very
Chris> interesting 1 April prank...

I'm speaking from some obvious corporate biases here, since my
employer is probably one of the companies you are speaking of.

What you're really paying for when you hire a security consultant is
*expertise*.  Now, good judgement comes from experience (and
experience comes from bad judgement, but that's another story ;).
Now, do security consultants build each and every security policy and
configuration from scratch?  Probably not if they want to make money.
What they will usually do is grab some solution from a similar
situation they saw in the past and modify it for the local
configuration.

This is a good thing.  The customers are paying for someone with
experience and expertise, and wasting the customers money and the
consultant's time reinventing the wheel is silly at best and
borderline unethical at worst.

Given that, what's wrong with encapsulating experience and expertise
into software?  Or to ask the question another way, what aspects of
security systems are resistant to encapsulation into software?

If you compare firewall unit sales with internet growth, it looks
probable that only about ten percent of the potential customer base
are purchasing firewalls of any kind.  Can anyone argue with a
straight face that that ninety percent is better off with no security
software at all?

Chris> But how do you convince the MIS Manager that 1) this is ot a good
Chris> approach, 2) you (the consultant) are not just holding the high
Chris> intelectual ground to prevent them from such implementations and 3) IT
Chris> security is not talismans and incense?

Most customers I've seen have no equivalent of an MIS manager.  Many
of them don't even have an on-site network administrator.  I'm not
saying that they don't *need* such people, but the reality is that a
lot of organizations who are connecting to the internet

There are a lot of clueless people deploying large internets these
days.  You probably don't have to look much further than your local
government to find horrifying examples.

How do we help these people?  Remember that most of them can't (or
won't) drop a thousand bucks a day to have some high-hat security guy
come in and tell them how to run their network.

Chris> A firewall is not a means unto itself - it is only the proverbial tip
Chris> of the (security) iceberg.

Certainly true.

Consider that if a firewall is easier to configure and manage, there
might be more time and more resources available for the rest of the
iceberg.

David Bonn
CTO, WatchGuard Technologies, Inc.