Tuesday, April 26, 2011

firewall-wizards Digest, Vol 57, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Proxies, opensource and the general market: what's wrong
with us? (ArkanoiD)
2. Re: Proxies, opensource and the general market: what's wrong
with us? (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Tue, 26 Apr 2011 04:57:42 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20110426005742.GA26773@eltex.net>
Content-Type: text/plain; charset=koi8-r

No, I did not mean OSS security tools in general. I just wanted to point out
if you rely solely on OSS tools, you get somehow "impaired" when it comes to firewall
and DLP functionality.

On Mon, Apr 25, 2011 at 12:53:14PM -0700, Anton Chuvakin wrote:
>
> In ArkanoiD's insightful rant, I am hearing "open source security
> tools are dead." Is that really so? I doubt it - and here is why: I
> think a lot of use cases for OSS sec tools are being dismissed by the
> rant author as "cheapo crap." In reality, "cheapo crap" means "used by
> everybody else but F1000"
>
> For example, over the last few years, a lot of my blog traffic has
> been driven by people googling for "open source SIEM" and "open source
> log management." People are googling for this like crazy - this point
> to an existing need for a free/OSS log management tools. Snort (IMHO)
> and nmap are still in common use. Web app firewall (WAF) has a lot of
> open source action as well.
>
> Now, is there a big "market" now for an open source network firewall?
> Hmm, not so sure....
>
> --
> Dr. Anton Chuvakin
> Site: http://www.chuvakin.org
> Blog: http://www.securitywarrior.org
> LinkedIn: http://www.linkedin.com/in/chuvakin
> Consulting: http://www.securitywarriorconsulting.com
> Twitter: @anton_chuvakin
> Google Voice: +1-510-771-7106
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>

------------------------------

Message: 2
Date: Mon, 25 Apr 2011 20:29:56 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Proxies, opensource and the general market:
what's wrong with us?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Anton Chuvakin <anton@chuvakin.org>
Message-ID: <4DB61204.2040204@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Anton Chuvakin wrote:
> In ArkanoiD's insightful rant, I am hearing "open source security
> tools are dead." Is that really so? I doubt it - and here is why: I
> think a lot of use cases for OSS sec tools are being dismissed by the
> rant author as "cheapo crap." In reality, "cheapo crap" means "used by
> everybody else but F1000"

The problem is that's where the money is. And PCI and other
audit standards are going to exacerbate the problem. The
market has shifted away from do-it-yourself to checkbox
security in a big way, and that means that the OSS products
pretty much are left to appeal to the customer who has no money,
i.e: is not interesting to the vendors.

I agree with you that it's not necessarily "crap" but OSS
generally means "free" which also means that one or two
OSS solutions suck all the oxygen out of the bottom of the
market - while the commercial offerings dominate the middle
and the top. If you get into a feature war with a commercial
product that has 20 engineers working on it, full-time, you
are not going to win if you're a typical OSS project. That
is especially the case with firewalls. It's one thing to
write a bunch of software that's going to run in *BSD or
whatever, but the commercial competition is using Cavium
processors on custom mother-boards with crypto accellerators
and regex in silicon. To play where the commercial bandwidth
is, you need a couple million bucks - at a minimum - just
to tool up enough to start developing a product, let alone
bring it to market.

Back in the day, customers always tortured me about
bandwidth through the firewall - even though, at that
time, nobody actually knew what they were pushing; they
just needed a promise that it was faster than it could
possibly be. OSS by its nature appeals to people that
won't just believe a sales brochure that says "it'll
handle 20 jillion wossnames/sec!" but the commercial
market is now acclimated to exactly that. It's a cultural
divide that's only deepening and will get much deeper
still in the coming years.

Where I still have some hope is the "advanced persistent
threats yadda yadda" is slowly cluing people in to the fact
that you CANNOT escape without knowing what's going on
in your network. Looking for command and control is
the next IDS and antivirus signatures everywhere game
but the survivors are already looking at how to parse
their networks apart, logically, to improve analysis
of traffic and to figure out how to leverage configuration
management and change detection to identify machines
that are infected. There won't BE a one size fits all
technology for that (though many things will be sold
as exactly that) because it's got to be specific to your
network, and - at its core - knowledge based on facts
you know about how your network should behave. In other
words a move away from "misbehavioral" based anomaly
detection toward "goodbehavioral" based analysis. There
will be a market for building tools for such purposes
but, again, they'll have to handle skull-popping
amounts of data at really high speeds. I don't see OSS
working in that space unless someone makes an OSS
network processor-based applications framework that
includes hardware. No vendor will do that because they
don't care about some OSS project; they want to sell
to Cisco or Palo Alto or whoever.

The short form of all that is that I think the security
market has matured, financially, if not technologically.
The do-it-yourselfers are fewer and fewer and I guess
we're kind of like steampunks: longing for technology
of yesteryear where we forget today how much we hated
it then.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 57, Issue 6
***********************************************

No comments:

Post a Comment