Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Tracy Reed <treed () ultraviolet org>
Date: Thu, 28 Apr 2011 12:35:58 -0700
On Thu, Apr 28, 2011 at 08:05:20AM +0200, Magosányi Árpád spake thusly:
But it is not. Network perimeter defence is an industry seriously hit by marketing bullshit from some vendors, who could not come out with a decent firewall, so redefined the term to be applicable to their products.
The proliferation of BS is a serious problem. Buzzwords are everywhere. It is hard to know what really provides value/security and what is just buzzwords and lengthening the bullet list of features to make the product more attractive.
Doing this they came out with a definition which goes against basic security principles and empties the meaning of the word to the extent which makes nearly pointless to have "firewalls".
I think it would be hard to make the argument that it is pointless to have packet filters. How would defining a firewall as a packet filter go against basic security principles? You could then simply say you need a firewall (packet filter) AND these various other proxies and tools to secure your network. Perhaps we are not really doing ourselves a favor by overloading the word "firewall" to such an extent? Just for fun I googled for the word "firewall" to find some sort of definition and the first link is wikipedia: http://en.wikipedia.org/wiki/Firewall_%28computing%29 Curiously, they list three generations of "firewall": packet filters, application layer, stateful filters. Pretty much every packet filter these days is stateful. But many firewall implementations skipped the application layer functionality.
This led to a state of affairs where there is practically no discussion about a lot of important questions of network perimeter defense, because the majority of the "firewall" people are kept in a darkness about the issue to the extent that they do not have the background even to ask the right questions.
What are some of the questions that you feel get overlooked?
This means that even though those same vendors now would be in the position to implement actually meaningful features, they do not do it because they have conditioned their consumers to not think about such things.
I think they have simply failed to educate the customer of the value of those features. The vendors are constantly looking for ways to differentiate themselves in what has fast become a commodity market. Why doesn't the customer care? If I see two boxes on the shelf with the same price but one seems to offer more security than the other I'm going to buy that one. But the additional perceived security just isn't there for the customer.
When you see someone trying to correct this "firewall = packet filter" nonsense, you actually see a vain attempt to correct these mistakes. Because the first step is to meaningfully discuss something is to have meaningful definitions.
I understand and appreciate that a firewall can be more than just a packet filter. But to insist that a packet filter is not a firewall does not seem to accomplish anything because then you have to define exactly what a firewall really does require to be called a firewall which can get quite complicated. The idea that all of that functionality should be in one box or provided by one vendor bothers me also. It seems to violate the UNIX philosophy of do one thing and do it well. -- Tracy Reed
Attachment:
_bin
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Marcus J. Ranum (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Anton Chuvakin (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)