Monday, April 25, 2011

firewall-wizards Digest, Vol 57, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Query: Role of Firewalls within a SAN environment itself
not just the periphery (ArkanoiD)
2. Proxies, opensource and the general market: what's wrong with
us? (ArkanoiD)
3. Re: Cisco ASA5585 (Farrukh Haroon)
4. Re: Proxies, opensource and the general market: what's wrong
with us? (Anton Chuvakin)
5. Re: Proxies, opensource and the general market: what's wrong
with us? (Tracy Reed)
6. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Sun, 24 Apr 2011 20:56:01 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Query: Role of Firewalls within a SAN
environment itself not just the periphery
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110424165601.GA11983@eltex.net>
Content-Type: text/plain; charset=koi8-r

There are solutions that do "smart" things like deduplication/data-aware cache on iSCSI level.

Why a firewall/DLP appliance cannot do pretty similar task, just security-centric?

------------------------------

Message: 2
Date: Sun, 24 Apr 2011 21:27:34 +0400
From: ArkanoiD <ark@eltex.net>
Subject: [fw-wiz] Proxies, opensource and the general market: what's
wrong with us?
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20110424172734.GB11983@eltex.net>
Content-Type: text/plain; charset=koi8-r

In early days, proxy firewalls and opensource (or just "crystal box" :-) solutions dominated the market.

Now both are either extinct or forced to an ulgy low end (for opensource, it usually means having no
security-centric framework, no common API, no real code review -- just a bunch of "functionally fit"
free things installed on a linux box with some simple web interface). For proxy firewalls the future is
even more questionable. Multiple state-of-the-art technology leaders were merging (quite obviously being
unable to stay competitive with cheapo crap) until there was only One left.. SC, later bought by McAfee.
And now McAfee is owned by Intel and it seems to show no interest in high end firewall solutions at all,
they seem to think they just bought an "antivirus company".

I asked guys on LinkedIn (having to admit LinkedIn security community sucks big time, some sane people are still there :-)
, if they still have some interest in opensource firewall solutions. The short answer
was "NO". The long ones were:

-- It is all about performance, we want as many Gbits per $ as possible, so ASIC is only way

-- It is all about features and support, no free solution fits.


And the second point seems to be pretty valid. We have *NO* product that is a match for current "market leaders".
It does not mean it is impossible: it is quite obviously possible, but we still do not have it.

You may take OpenFWTK, Prelude, Snort, ClamAV, some unix of you choice and.. still not get really the same.
Protocol support is not that good, no common management interface and not really ready for enterprise which
is not full of geeks at all, management overhead and TCO are going to jump up beyond any reasonable limit.

OpenDLP is just a sad joke, running a bunch of regexps against your data is not the thing to be called DLP.

As I am still running the OpenFWTK project, I have to admit I get little to *NO* support form Opensource community.
The single reason the project is still alive is occasional donations and paid feature requests from *commercial* vendors who
use some OpenFWTK components in their products. Maybe once a year or two I receive a bug report or even a patch or some half-baked
piece of documentation. I appreciate that, but most of the times I never hear from those people again.
Despite that, Sourceforge shows several downloads/checkouts daily, but the feedback is close to zero. Once I googled for
OpenFWTK I found some japanese site with patches they did not bother even to send me, and there was no contact email and
no way to send them any questions as comment form was protected with captcha in japanese!


------------------------------

Message: 3
Date: Sun, 24 Apr 2011 22:35:40 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Cisco ASA5585
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTinMR=4Z6psM3MdnQZxmObk-ORJ9Gw@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello Morven

Try googling "NSS labs tipping point" :); it will reveal some interesting
stuff.

Regards

Farrukh

On Tue, Apr 19, 2011 at 1:49 PM, Morley, Morven <M.E.Morley@tees.ac.uk>wrote:

> Hi all,
>
> Does anyone have any experience of the Cisco
> ASA5585 appliances, specifically the IPS capabilities of the devices, how
> do they compare with a Tipping Point IPS device regarding ease of
> administration, false/positives, automatic updates of digital vaccines?
>
>
>
>
>
> Regards
>
> Morven
>
>
>
>
>
> *Mrs Morven Morley, Network Manager, ICT Systems*
>
> *x2187*
>
>
>
> [image:
> http://www.tees.ac.uk/minisites/teessideuniversity/emails/ICT-09-10-email.gif]
>
>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110424/28f597f8/attachment-0001.html>

------------------------------

Message: 4
Date: Mon, 25 Apr 2011 12:53:14 -0700
From: Anton Chuvakin <anton@chuvakin.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTinMN9c9QDJD5vJ6TfkOzZ3aa4L5Bg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> And the second point seems to be pretty valid. We have *NO* product that is a match for current "market
>leaders". It does not mean it is impossible: it is quite obviously possible, but we still do not have it.

Well, now I know that I missed the fw-wiz discussions of the list's
"golden years" :-)

In ArkanoiD's insightful rant, I am hearing "open source security
tools are dead." Is that really so? I doubt it - and here is why: I
think a lot of use cases for OSS sec tools are being dismissed by the
rant author as "cheapo crap." In reality, "cheapo crap" means "used by
everybody else but F1000"

For example, over the last few years, a lot of my blog traffic has
been driven by people googling for "open source SIEM" and "open source
log management." People are googling for this like crazy - this point
to an existing need for a free/OSS log management tools. Snort (IMHO)
and nmap are still in common use. Web app firewall (WAF) has a lot of
open source action as well.

Now, is there a big "market" now for an open source network firewall?
Hmm, not so sure....

--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106


------------------------------

Message: 5
Date: Mon, 25 Apr 2011 14:24:04 -0700
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: firewall-wizards@listserv.cybertrust.com
Message-ID: <20110425212403.GB3737@tracyreed.org>
Content-Type: text/plain; charset="us-ascii"

On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
> Now both are either extinct or forced to an ulgy low end (for
> opensource,
>
> it usually means having no security-centric framework,

What does this mean?

> no common API,

How would a firewall API work and what would it do? What does "common"
mean in this context? Same API across multiple different firewall
vendors?

> no real code review

Depends on what you mean by "real". I know tons of people look at the
Linux firewall code.

> -- just a bunch of "functionally fit" free things installed on a linux
> box with some simple web interface).

I don't know what "functionally fit" means either.

As for web interfaces, most of the Linux firewalls I've used (especially
Shorewall, my favorite) have no web interface. I really don't want
someone managing my firewall who requires a web interface. I also like
to version control my firewall configs and back them up within my normal
backup infrastructure which most web interfaces cannot handle.

> I asked guys on LinkedIn (having to admit LinkedIn security community
> sucks big time, some sane people are still there :-) , if they still
> have some interest in opensource firewall solutions. The short answer
> was "NO". The long ones were:
>
> -- It is all about performance, we want as many Gbits per $ as
> possible, so ASIC is only way

The number of infrastructures that need firewalls which are transferring
< 100Mb/s are far greater in number than those pulling > 1Gb/s. Do all
your LinkedIn pals work for Google, Facebook, etc? I have deployed lots
of firewalls and only a few ever handled more than a few hundred
megabits. The vast majority transfer at most on the order of single
megabits. Yet some of these single-digit-Mb/s firewalls protect large
numbers of credit card data and have serious security requirements.

> -- It is all about features and support, no free solution fits.

I can understand a company wanting support for their firewall. Support
costs someone's time and that quite fairly costs money.

As for features, what features are the real sticking points here? Are we
just comparing bullet lists or do you really *need* certain features
which are lacking?

> Protocol support is not that good, no common management interface and

What protocols are we talking about here and what are we wanting to do
with them?

What is an example of a commercial product that has a common management
interface? What other product is it in common with?

> not really ready for enterprise which is not full of geeks at all,

I would think you would want to hire a geek to operate your firewall and
other security infrastructure if security was important to you.

> management overhead and TCO are going to jump up beyond any reasonable
> limit.

Why?

> OpenDLP is just a sad joke, running a bunch of regexps against your
> data is not the thing to be called DLP.

How do the commercial products do it?

> As I am still running the OpenFWTK project, I have to admit I get
> little to *NO* support form Opensource community.

I very rarely hear about openfwtk and I'm in the business. I know of
very few companies who have deployed or want to run proxies. Most just
stick with stateful packet filtering and maybe a squid/varnish proxy for
http and call it a day. In order to have community support you have to
have a community. There are 30 people in #shorewall on freenode.net and
for nearly 10 years now there has always been someone to help out
whenever I had an issue. The mailing list is quite active also. Tom
Eastep does a fantastic job of running the project working with the
community. openfwtk-devel at
http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
emails in the archive over years. And no IRC channel. It is barely
visible at all on the net. You don't get community support if you have
no community.

--
Tracy Reed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110425/966df385/attachment-0001.pgp>

------------------------------

Message: 6
Date: Tue, 26 Apr 2011 04:49:51 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110426004951.GA25455@eltex.net>
Content-Type: text/plain; charset=koi8-r

On Mon, Apr 25, 2011 at 02:24:04PM -0700, Tracy Reed wrote:
> On Sun, Apr 24, 2011 at 09:27:34PM +0400, ArkanoiD spake thusly:
> > Now both are either extinct or forced to an ulgy low end (for
> > opensource,
> >
> > it usually means having no security-centric framework,
>
> What does this mean?
>
> > no common API,
>
> How would a firewall API work and what would it do? What does "common"
> mean in this context? Same API across multiple different firewall
> vendors?

A "framework" means it is not just a bunch of inconsistent code.
API.. well, Gauntlet had a kind of API. Zorp does have, OpenFWTK does.
A linux box with squid+squidguard+IMspector+nntpcache+greensql+dante+whatever is something else,
despite the fact it can do "more".

>
> > no real code review
>
> Depends on what you mean by "real". I know tons of people look at the
> Linux firewall code.

You mean packet filter code? :-)

>
> > -- just a bunch of "functionally fit" free things installed on a linux
> > box with some simple web interface).
>
> I don't know what "functionally fit" means either.

See above.

> As for web interfaces, most of the Linux firewalls I've used (especially
> Shorewall, my favorite) have no web interface. I really don't want
> someone managing my firewall who requires a web interface. I also like
> to version control my firewall configs and back them up within my normal
> backup infrastructure which most web interfaces cannot handle.

Shorewall is just packet filter configuration frontend.

> > -- It is all about features and support, no free solution fits.
>
> I can understand a company wanting support for their firewall. Support
> costs someone's time and that quite fairly costs money.
>
> As for features, what features are the real sticking points here? Are we
> just comparing bullet lists or do you really *need* certain features
> which are lacking?
>

We do. Say, dealing with webmail *exactly* the same way as "classic" email protocols is a must these
days.

> > Protocol support is not that good, no common management interface and
>
> What protocols are we talking about here and what are we wanting to do
> with them?
>
> What is an example of a commercial product that has a common management
> interface? What other product is it in common with?

"Common" means you may build a feature rich system using components you need.
It is vendor-centric, usually, but Juniper, McAfee and even Cisco are good examples.

> > not really ready for enterprise which is not full of geeks at all,
>
> I would think you would want to hire a geek to operate your firewall and
> other security infrastructure if security was important to you.
>
> > management overhead and TCO are going to jump up beyond any reasonable
> > limit.
>
> Why?
>
> > OpenDLP is just a sad joke, running a bunch of regexps against your
> > data is not the thing to be called DLP.
>
> How do the commercial products do it?

Lots of pretty complicated ways, including endpoint data discovery, digital fingerprinting, data normalization, on-the-fly ocr and stuff.

>
> > As I am still running the OpenFWTK project, I have to admit I get
> > little to *NO* support form Opensource community.
>
> I very rarely hear about openfwtk and I'm in the business. I know of
> very few companies who have deployed or want to run proxies. Most just
> stick with stateful packet filtering and maybe a squid/varnish proxy for
> http and call it a day. In order to have community support you have to
> have a community. There are 30 people in #shorewall on freenode.net and
> for nearly 10 years now there has always been someone to help out
> whenever I had an issue. The mailing list is quite active also. Tom
> Eastep does a fantastic job of running the project working with the
> community. openfwtk-devel at
> http://sourceforge.net/mail/?group_id=192764 has 7 subscribers and 10
> emails in the archive over years. And no IRC channel. It is barely
> visible at all on the net. You don't get community support if you have
> no community.

Exactly how am i expected to get the community?

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 5
***********************************************

No comments:

Post a Comment