Re: Proxies, opensource and the general market: what's wrong with us?

[Tracy Reed <treed () ultraviolet org>]

On Thu, Apr 28, 2011 at 08:05:20AM +0200, Magosányi Árpád spake thusly:
> But it is not. Network perimeter defence is an industry seriously
> hit by marketing bullshit from some vendors, who could not come out
> with a decent firewall, so redefined the term to be applicable to
> their products.

The proliferation of BS is a serious problem. Buzzwords are everywhere.
It is hard to know what really provides value/security and what is just
buzzwords and lengthening the bullet list of features to make the
product more attractive.

> Doing this they came out with a definition which goes against basic
> security principles and empties the meaning of the word to the
> extent which makes nearly pointless to have "firewalls".

I think it would be hard to make the argument that it is pointless to
have packet filters. How would defining a firewall as a packet filter go
against basic security principles? You could then simply say you need a
firewall (packet filter) AND these various other proxies and tools to
secure your network. Perhaps we are not really doing ourselves a favor
by overloading the word "firewall" to such an extent?

Just for fun I googled for the word "firewall" to find some sort of
definition and the first link is wikipedia:

http://en.wikipedia.org/wiki/Firewall_%28computing%29

Curiously, they list three generations of "firewall": packet filters,
application layer, stateful filters. 

Pretty much every packet filter these days is stateful. But many
firewall implementations skipped the application layer functionality.

> This led to a state of affairs where there is practically no
> discussion about a lot of important questions of network perimeter
> defense, because the majority of the "firewall" people are kept in a
> darkness about the issue to the extent that they do not have the
> background even to ask the right questions.

What are some of the questions that you feel get overlooked?

> This means that even though those same vendors now would be in the
> position to implement actually meaningful features, they do not do
> it because they have conditioned their consumers to not think about
> such things.

I think they have simply failed to educate the customer of the value of
those features. The vendors are constantly looking for ways to
differentiate themselves in what has fast become a commodity market.
Why doesn't the customer care? If I see two boxes on the shelf with the
same price but one seems to offer more security than the other I'm going
to buy that one. But the additional perceived security just isn't there
for the customer.

> When you see someone trying to correct this "firewall = packet
> filter" nonsense, you actually see a vain attempt to correct these
> mistakes. Because the first step is to meaningfully discuss
> something is to have meaningful definitions.

I understand and appreciate that a firewall can be more than just a
packet filter. But to insist that a packet filter is not a firewall does
not seem to accomplish anything because then you have to define exactly
what a firewall really does require to be called a firewall which can
get quite complicated.

The idea that all of that functionality should be in one box or provided
by one vendor bothers me also. It seems to violate the UNIX philosophy
of do one thing and do it well.

-- 
Tracy Reed

Attachment: _bin
Description:

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards