|

Computer Security

»

»

Firewall Discussions

»

Firewall Wizards

State of security technology for the enterprise

View: New views

15 Messages — Rating Filter: Alert me

	State of security technology for the enterprise by Chris Hughes-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hello all. I am currently developing a strategy for evolving the security for my enterprise network. Currently I protect the core network (servers and services) and internet with inline sensors, use HIDS on all client machines (which performs event correlation with the inline sensors) content filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on the edge. In reviewing the latest offerings I see that there are new and potentially immature technologies that may be the direction I need to look. These include: DPI (deep packet inspection) firewalls Content filtering on the firewall SSL proxying with decryption for filtering abuse and data leak DLP – related to ssl filtering but with the addition of protecting data at rest from leaving the network. VMWARE/Hypervisor sensors to protect my virtual infrastructure The vendors offerings I am reviewing include: Cisco ISS Juniper Fortinet Palo Alto If I omitted serious contenders from my list please bring them to my attention. I also have a feature matrix I am willing to share if anyone is interested. Cisco has point product solutions for the most part but Juniper, Palo Alto and Fortinet are combining some of the new abilities into a single appliance. I am looking for conversation on the newer technologies as well as thoughts of combining them on a single albeit clustered/HA appliance versus separate solutions for each function. Another thing I wrestle with is single vendor solutions versus hybrid solution that offers some dioversity and a system of checks and balances. Of particular interest is DPI. From what I read this will be a major advance that really grants security admins control at the firewall that they never had before. Please share your thoughts. Thanks _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by ArkanoiD :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message You are kidding calling those technologies "new"? Actually we do need something new. Think entitlement management, role-based access control, data flow tracking, emdedded security tokens, OWASP frameworks, XML filtering etc. At least document fingerprinting and discovery as poor man's solution. And configuration management and endpoint security solutions (not just "AV"!) for sure. We all are going nowere because we are stuck into our old toys - DPI, IDS, AV, VPN etc and actually have no idea how data flow should be managed - and you are afraid of "potentialy immature technologies"? God damn, everything you list is old as mammoth's fossilized crap! Well, have a look at IBM's Datapower at least - much of your data flow is XML, right? And forget that Cisco makes "firewalls". Those are not worth their power supply units. On Wed, Apr 29, 2009 at 09:30:47AM -0400, Chris Hughes wrote: > > Hello all. > > > I am currently developing a strategy for evolving the security for my > enterprise network. Currently I protect the core network (servers and > services) and internet with inline sensors, use HIDS on all client > machines (which performs event correlation with the inline sensors) > content filtering, use of AV on all hosts, SSL and IPSec VPN and > spamfiltering on the edge. > > > In reviewing the latest offerings I see that there are new and > potentially immature technologies that may be the direction I need to > look. These include: > > > DPI (deep packet inspection) firewalls > > Content filtering on the firewall > > SSL proxying with decryption for filtering abuse and data leak > > DLP - related to ssl filtering but with the addition of protecting > data at rest from leaving the network. > > VMWARE/Hypervisor sensors to protect my virtual infrastructure > > > The vendors offerings I am reviewing include: > > > Cisco > > ISS > > Juniper > > Fortinet > > Palo Alto > > > If I omitted serious contenders from my list please bring them to my > attention. I also have a feature matrix I am willing to share if > anyone is interested. > > > Cisco has point product solutions for the most part but Juniper, Palo > Alto and Fortinet are combining some of the new abilities into a > single appliance. > > > I am looking for conversation on the newer technologies as well as > thoughts of combining them on a single albeit clustered/HA appliance > versus separate solutions for each function. Another thing I wrestle > with is single vendor solutions versus hybrid solution that offers > some dioversity and a system of checks and balances. > > > Of particular interest is DPI. From what I read this will be a major > advance that really grants security admins control at the firewall > that they never had before. > > > Please share your thoughts. > > > Thanks > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by miedaner :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. The underlying architecture is very important to providing control. Build in security zones, dmz, transit, low to high zones. From layer 1-7 as you move from low to high zones controls should increase and each zone should be setup to detect problems. Less is more, permit few, deny all. You can buy all the gadgets you want but in the arms race that has been occuring for as long as I can remember, you will never ever be ahead of the enemy, or clueless user, unless you don't allow it by default. That being said my experience Cisco is weak Love Netscreen/Juniper ISS is expensive and since IBM took them over is getting weaker Palo Alto seems promising Sidewinder is good DPI is a marketing term to me -----Original Message----- From: firewall-wizards-bounces@... [mailto:firewall-wizards-bounces@...]On Behalf Of Chris Hughes Sent: Wednesday, April 29, 2009 9:31 AM To: firewall-wizards@... Subject: [fw-wiz] State of security technology for the enterprise Hello all. I am currently developing a strategy for evolving the security for my enterprise network. Currently I protect the core network (servers and services) and internet with inline sensors, use HIDS on all client machines (which performs event correlation with the inline sensors) content filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on the edge. In reviewing the latest offerings I see that there are new and potentially immature technologies that may be the direction I need to look. These include: DPI (deep packet inspection) firewalls Content filtering on the firewall SSL proxying with decryption for filtering abuse and data leak DLP – related to ssl filtering but with the addition of protecting data at rest from leaving the network. VMWARE/Hypervisor sensors to protect my virtual infrastructure The vendors offerings I am reviewing include: Cisco ISS Juniper Fortinet Palo Alto If I omitted serious contenders from my list please bring them to my attention. I also have a feature matrix I am willing to share if anyone is interested. Cisco has point product solutions for the most part but Juniper, Palo Alto and Fortinet are combining some of the new abilities into a single appliance. I am looking for conversation on the newer technologies as well as thoughts of combining them on a single albeit clustered/HA appliance versus separate solutions for each function. Another thing I wrestle with is single vendor solutions versus hybrid solution that offers some dioversity and a system of checks and balances. Of particular interest is DPI. From what I read this will be a major advance that really grants security admins control at the firewall that they never had before. Please share your thoughts. Thanks _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Marcin Antkiewicz :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message > The underlying architecture is very important to providing control. I doubt that the original poster's question can be answered without rest of the relevant information. What is the environment? What systems/data will be protected? Under what regulation? What budget? How big is the staff? What's the infrastructure? What's the organization's experience dealing with IT Sec risks? A laundry list of technology is meaningless - each of the pieces must work with the others, and satisfy some business need. If the later part is neglected funding tends to dry up in 2-3 years. Justification to the business does not have to be extravagant, but it must be well done, and in language and context that the business understands. ArkanoiD is correct, biggest Sidewinder is worthless, if the application folks decide to include passwords in Javascript. I know of a few places that try to correct such creativity with iRules on F5s, but that's just a race that the org is going to loose. Sidewinders and F5s are not needed, secure SDLC will fix that problem. Add decent development process to sidewinders and the F5s and the org will be doing quire well, but that's very expensive - requres cooperation of IT Sec and App Delivery, which cannot be purchased. I think I am trying to say that Seurity is a process, and cannot be bought (in a sustainable manner), But that we all know already. -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Chris Hughes-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I have no idea how “new” these technologies are. If they were mainstream technologies I would expect to see more of the mainstream vendors implementing them. I can see where cutting edge security types would view “mainstream” as missing the mark. The problem is, on an enterprise level, most companies are not willing to look at open source solutions or vendors they have never heard of. They want brand names that can be supported by a wide audience of engineers. I term the technologies as immature because the offerings I see leave something to be desired. I am not aware of having XML data flows. What are you referring to? My purpose was not to offend you or become viewed as ignorant. My purpose is to solicit opinions on these technologies which appear to me and the folks I deal with as “new”. I will look at IBM’s offering as you suggest. _________________________________________________________________________ You are kidding calling those technologies "new"? Actually we do need something new. Think entitlement management, role-based access control, data flow tracking, emdedded security tokens, OWASP frameworks, XML filtering etc. At least document fingerprinting and discovery as poor man's solution. And configuration management and endpoint security solutions (not just "AV"!) for sure. We all are going nowere because we are stuck into our old toys - DPI, IDS, AV, VPN etc and actually have no idea how data flow should be managed - and you are afraid of "potentialy immature technologies"? God damn, everything you list is old as mammoth's fossilized crap! Well, have a look at IBM's Datapower at least - much of your data flow is XML, right? And forget that Cisco makes "firewalls". Those are not worth their power supply units. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Chris Hughes-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Point taken on chasing new technologies, however, with new methods of controlling access and thwarting attacks I stand to gain advantage where I am currently vulnerable. Good point on zones/architecture. Since I was responsible for building the network I was sure to take security into account. The problem with internal firewalling was the vast array of services offered and the churn of development and implementation. Development was hampered by programmers who were not network aware. New services are continually being brought online. I am a team of one for security and there are nearly 150 servers and nearly 200 services riding on them. This is an organizational issue I don't expect to be resolved here. However it's worth mentioning when you consider UTM could potentially make it all more manageable for folks in the same boat as me. I share your thoughts on the vendors. So far Juniper is my favorite. I just looked at Fortinet today in a webex and it looks ok. (Fortigate) ------------------------------------------------------------------- From: "miedaner" <miedaner@...> Subject: Re: [fw-wiz] State of security technology for the enterprise To: "Firewall Wizards Security Mailing List" The underlying architecture is very important to providing control. Build in security zones, dmz, transit, low to high zones. >From layer 1-7 as you move from low to high zones controls should increase and each zone should be setup to detect problems. Less is more, permit few, deny all. You can buy all the gadgets you want but in the arms race that has been occuring for as long as I can remember, you will never ever be ahead of the enemy, or clueless user, unless you don't allow it by default. That being said my experience Cisco is weak Love Netscreen/Juniper ISS is expensive and since IBM took them over is getting weaker Palo Alto seems promising Sidewinder is good DPI is a marketing term to me -----Original Message----- From: firewall-wizards-bounces@... [mailto:firewall-wizards-bounces@...]On Behalf Of Chris Hughes Sent: Wednesday, April 29, 2009 9:31 AM To: firewall-wizards@... Subject: [fw-wiz] State of security technology for the enterprise Hello all. I am currently developing a strategy for evolving the security for my enterprise network. Currently I protect the core network (servers and services) and internet with inline sensors, use HIDS on all client machines (which performs event correlation with the inline sensors) content filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on the edge. In reviewing the latest offerings I see that there are new and potentially immature technologies that may be the direction I need to look. These include: DPI (deep packet inspection) firewalls Content filtering on the firewall SSL proxying with decryption for filtering abuse and data leak DLP - related to ssl filtering but with the addition of protecting data at rest from leaving the network. VMWARE/Hypervisor sensors to protect my virtual infrastructure The vendors offerings I am reviewing include: Cisco ISS Juniper Fortinet Palo Alto If I omitted serious contenders from my list please bring them to my attention. I also have a feature matrix I am willing to share if anyone is interested. Cisco has point product solutions for the most part but Juniper, Palo Alto and Fortinet are combining some of the new abilities into a single appliance. I am looking for conversation on the newer technologies as well as thoughts of combining them on a single albeit clustered/HA appliance versus separate solutions for each function. Another thing I wrestle with is single vendor solutions versus hybrid solution that offers some dioversity and a system of checks and balances. Of particular interest is DPI. From what I read this will be a major advance that really grants security admins control at the firewall that they never had before. Please share your thoughts. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/200904 29/1749774d/attachment.html> ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 36, Issue 39 ************************************************ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Paul D. Robertson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 30 Apr 2009, Chris Hughes wrote: > Point taken on chasing new technologies, however, with new methods of > controlling access and thwarting attacks I stand to gain advantage where I > am currently vulnerable. You're assuming that "new technologies" will enhance your ability to secure a particular vector. That's not always true, and new stuff often increases the complexity of the defensive device, which can actually make you more vulnerable rather than less. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Paul D. Robertson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 30 Apr 2009, Chris Hughes wrote: > "mainstream" as missing the mark. The problem is, on an enterprise level, > most companies are not willing to look at open source solutions or vendors > they have never heard of. They want brand names that can be supported by a > wide audience of engineers. I've never seen that level of reluctance at any large enterprise I've worked or consulted for. In fact, in these economic times, "it's free" is a lot more palatable than "you need to spend $10,000." I'd gently suggest that the security "sale" for the requirement isn't being done well enough if you can't choose best of breed open source tools- especially if the argument is "wide audeience of engineers." If your "wide audience" is that narrowly focused, then I'd suggest removing the term "engineer" from their titles and substituting "monkeys!" > My purpose was not to offend you or become viewed as ignorant. My purpose > is to solicit opinions on these technologies which appear to me and the > folks I deal with as "new". I will look at IBM's offering as you suggest. "Deep packet inspection" has been on the market as such for a number of years as the challengers to "stateful packet inspection" looked for their own marketing term. The "problem" with DPI is that to do it right, you basically have to mimic the fragmentation, ordering and reassembly of an IP stack, then know what to look for as "bad"- by the time you've written all of that, you may as well have written a real proxy where you know the effects of that and you've got a mature implementation that's been in the field for years- so the code bugs are hopefully already addressed. We've all seen how well proxies adapted to "new" stuff, and DPI has had the same set of issues- the problem isn't so much the buzzword as the amount of work necessary to do a good job coupled with the brain-deadedness of most application protocols (security is not addressed in this document...) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Marcus J. Ranum :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul D. Robertson wrote: > "Deep packet inspection" has been on the market as such for a number of > years as the challengers to "stateful packet inspection" ...And nobody has ever done an adequate job of explaining what is stateful about SPI or particularly "deep" about DPI. As one of those obnoxious guys who always did everything at Layer 7, it seems more like an argument about who's the tallest kid in the shallow end of the pool. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Paul D. Robertson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 30 Apr 2009, Marcus J. Ranum wrote: > ...And nobody has ever done an adequate job of explaining what is > stateful about SPI or particularly "deep" about DPI. As one of those Oh, the stateful part was explained pretty well- as were the state tables, it was the "inspection" part that was all over the map in SPI just like in DPI... > obnoxious guys who always did everything at Layer 7, it seems more > like an argument about who's the tallest kid in the shallow end of > the pool. I get to have a proxy conversation with a bank tomorrow, because all their literature for their ACH service requires "unrestricted Internet access" with (at least according to the manuals, no place to even put a proxy for the HTTS or FTP methods.) sigh Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Apr 30, 2009 at 8:19 PM, Paul D. Robertson <paul@...> wrote: > I get to have a proxy conversation with a bank tomorrow, because all > their literature for their ACH service requires "unrestricted Internet > access" with (at least according to the manuals, no place to even put a > proxy for the HTTS or FTP methods.) sigh > > Paul It's been awhile since I dealt with ACH - but I had thought that there were "new" and "strict" requirements concerning such transactions these days? An argument against government intervention no doubt. But what private association - or "body" of some sort - has worked well in such things (dietetics association?)? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by david@lang.hm :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 30 Apr 2009, Paul D. Robertson wrote: > On Thu, 30 Apr 2009, Chris Hughes wrote: > >> "mainstream" as missing the mark. The problem is, on an enterprise level, >> most companies are not willing to look at open source solutions or vendors >> they have never heard of. They want brand names that can be supported by a >> wide audience of engineers. > > I've never seen that level of reluctance at any large enterprise I've > worked or consulted for. In fact, in these economic times, "it's free" is > a lot more palatable than "you need to spend $10,000." I'd gently suggest > that the security "sale" for the requirement isn't being done well enough > if you can't choose best of breed open source tools- especially if the > argument is "wide audeience of engineers." If your "wide audience" is > that narrowly focused, then I'd suggest removing the term "engineer" from > their titles and substituting "monkeys!" oh, this level of reluctance is very definantly alive and well, even in these economic times. I've got folks insisting that I rip out the working opensource equipment and replace it with 'real' firewalls (which turns out to mean Cisco equipment. it looks like they are going to force the Sidewinders to be removed as well) David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Kowsik Guruswamy :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Stateful is typically about 5-tuple flow tracking and maybe some handful of protocols that need alternate ports (FTP is usually the qualifier for someone to be stateful) and DPI is typically about the x odd protocols that are decoded "enough" to claim deep. And it makes a nice story, K. On Thu, Apr 30, 2009 at 6:19 PM, Paul D. Robertson <paul@...> wrote: > On Thu, 30 Apr 2009, Marcus J. Ranum wrote: > >> ...And nobody has ever done an adequate job of explaining what is >> stateful about SPI or particularly "deep" about DPI. As one of those > > Oh, the stateful part was explained pretty well- as were the state tables, > it was the "inspection" part that was all over the map in SPI just like > in DPI... > >> obnoxious guys who always did everything at Layer 7, it seems more >> like an argument about who's the tallest kid in the shallow end of >> the pool. > > I get to have a proxy conversation with a bank tomorrow, because all > their literature for their ACH service requires "unrestricted Internet > access" with (at least according to the manuals, no place to even put a > proxy for the HTTS or FTP methods.) sigh > > Paul > ----------------------------------------------------------------------------- > Paul D. Robertson "My statements in this message are personal opinions > paul@... which may have no basis whatsoever in fact." > Moderator: Firewall-Wizards mailing list > Art: http://PaulDRobertson.imagekind.com/ > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Chris Hughes-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. The environment is a product development environment that is under constant threat from the outside and a history of inside threats/attacks. I am protecting mostly Microsoft systems with some *nix. The data at highest risk is source code and product development documentation. I need to be at least FIPS 140-2 compliant. As far as budget goes, I was hoping to spread the purchase between this years and next years and keep the total spent less than 70K. Staff?? I’m it. Experience dealing with IT security risks is about an 8 on a scale of 1 to 10. I’ve caught a few, been attacked internally a few times and externally on a continuous basis. Corporate espionage is a reality for me. While all this is important to consider when choosing a solution, I’m not that far along yet. My intent is to investigate the state of security technology so that when I am ready to choose a solution or set of solutions, I can go with product(s) that are forward thinking and least likely to require a forklift upgrade in the next 3 years. You make a good point that the pieces of the overall solution must work closely with each other. This is something the vendors of security solutions are fighting. They want me to think that they are so good that they can handle it all. My current solution is hybrid and on more than one occasion I’ve seen one vendor miss something and another catch it. True security cannot be bought, but with the growth of new technologies comes new threats that are not as easily dealt with by using a six shooter. As an example, VMWare tells me not to run endpoint protection in my virtual environment and that there are products out there that sit at the hypervisor layer to protect VM’s from attacking each other. ( I left that out of the environment section. We are 70% VM and will be 90% by end of year. This is a big consideration) From: Marcin Antkiewicz <firewallwizards@...> Subject: Re: [fw-wiz] State of security technology for the enterprise To: miedaner@..., Firewall Wizards Security Mailing List <firewall-wizards@...> Message-ID: <7ed5f2120904292213r55acf650n92cc1a34a3f7cea6@...> Content-Type: text/plain; charset=ISO-8859-1 > The underlying architecture is very important to providing control. I doubt that the original poster's question can be answered without rest of the relevant information. What is the environment? What systems/data will be protected? Under what regulation? What budget? How big is the staff? What's the infrastructure? What's the organization's experience dealing with IT Sec risks? A laundry list of technology is meaningless - each of the pieces must work with the others, and satisfy some business need. If the later part is neglected funding tends to dry up in 2-3 years. Justification to the business does not have to be extravagant, but it must be well done, and in language and context that the business understands. ArkanoiD is correct, biggest Sidewinder is worthless, if the application folks decide to include passwords in Javascript. I know of a few places that try to correct such creativity with iRules on F5s, but that's just a race that the org is going to loose. Sidewinders and F5s are not needed, secure SDLC will fix that problem. Add decent development process to sidewinders and the F5s and the org will be doing quire well, but that's very expensive - requres cooperation of IT Sec and App Delivery, which cannot be purchased. I think I am trying to say that Seurity is a process, and cannot be bought (in a sustainable manner), But that we all know already. -- Marcin Antkiewicz ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: State of security technology for the enterprise by Chris Hughes-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. In thinking about it I guess the reluctance is based more on management being concerned that if I architect an open source solution and leave, there will be a smaller pool of people to choose from to support it going forward. Because I am a staff of one for security, there is also the fear that if I am out and someone needs to “take a look” or respond to a problem, there is no easy support to call. In these lean times they refuse to hire extra personnel. Anyhow, I am willing to consider open source solutions where they fit. Good info on DPI, thanks. This is the kind of information I’m looking for. I am not currently using a proxy and had planned on buying BlueCoat last year for use both as a proxy and decryption/re-encryption of SSL for inspection. Then I was forced to spend the $$ on a new SAN. This is one piece I wanted in place this year. ---------------------------------------------- Date: Thu, 30 Apr 2009 17:06:52 -0400 (EDT) From: "Paul D. Robertson" <paul@...> Subject: Re: [fw-wiz] State of security technology for the enterprise To: Firewall Wizards Security Mailing List <firewall-wizards@...> Message-ID: <Pine.LNX.4.44.0904301656590.4359-100000@...> Content-Type: TEXT/Plain; charset=US-ASCII On Thu, 30 Apr 2009, Chris Hughes wrote: > "mainstream" as missing the mark. The problem is, on an enterprise > level, most companies are not willing to look at open source solutions > or vendors they have never heard of. They want brand names that can > be supported by a wide audience of engineers. I've never seen that level of reluctance at any large enterprise I've worked or consulted for. In fact, in these economic times, "it's free" is a lot more palatable than "you need to spend $10,000." I'd gently suggest that the security "sale" for the requirement isn't being done well enough if you can't choose best of breed open source tools- especially if the argument is "wide audeience of engineers." If your "wide audience" is that narrowly focused, then I'd suggest removing the term "engineer" from their titles and substituting "monkeys!" > My purpose was not to offend you or become viewed as ignorant. My > purpose is to solicit opinions on these technologies which appear to > me and the folks I deal with as "new". I will look at IBM's offering as you suggest. "Deep packet inspection" has been on the market as such for a number of years as the challengers to "stateful packet inspection" looked for their own marketing term. The "problem" with DPI is that to do it right, you basically have to mimic the fragmentation, ordering and reassembly of an IP stack, then know what to look for as "bad"- by the time you've written all of that, you may as well have written a real proxy where you know the effects of that and you've got a mature implementation that's been in the field for years- so the code bugs are hopefully already addressed. We've all seen how well proxies adapted to "new" stuff, and DPI has had the same set of issues- the problem isn't so much the buzzword as the amount of work necessary to do a good job coupled with the brain-deadedness of most application protocols (security is not addressed in this document...) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards