Dana Nowell <DanaNowell @
> Maybe I'm assuming you are offering something bigger than you are (it IS pre
> coffee time), but my main concern is the 'old news' factor of information
> like this. Can such a document be written and not become dated in say 6
> months or a year (I think an FAQ entry should last at least a year). The
> more specific you get, the more likely the next OS patch or cracker attack
> mechanism will make it dated.
The firewall FAQ (which I maintain) is somewhat dated, but
that reflects the fact that firewalls are becoming a "mature"
technology which is well on its way towards becoming a
commodity. Many of the basic issues remain the same, but the
details change; trying to keep up with details would be hellish
work since now the vendors are all rapidly changing the details
every couple of weeks. :)
Believe me, I've considered trying to keep the FAQ aggressively
up to date, including information about specific products and
current issues. The problem with doing that is that it'd be a
full-time job, and I already have 3 (at least!) full-time jobs. My
cat would do it, but he can't type with his little paws -- or at
least that's his excuse.
With the FAQ I've tried to provide a vendor-neutral
consultant-neutral source of information that answers the basic
question "what is a firewall?" -- we used to get that one pretty
often. Nowadays it's down to about one every 4 months instead
of 4 a week like in the early days. Also, there was a time when
there were no books on firewalls. :) I, personally, believe that
FAQs become obsolete as soon as a decent book on a topic
is available, and with excellent examples from Bill, Brent,
Elizabeth, and Steve, I doubt there's a lot of use for a FAQ
anymore, except as a starting place for people who need only
a glimmering of surface-level information.
> Broad overview information MIGHT remain reasonably accurate, but is there
> enough to justify the effort? If you are actually offering something along
> the lines of the fact that the OS is not the issue as long as the user can
> plug all the holes over the short and long term (whatever that means), list
> the advantages/disadvantages of source code availability, and general
> statements of that type, then I withdraw the reservation. Of course, if you
> don't get specific, is it really useful?
High-level theory discussions (like my recent posting on
OS level issues) tend to not fit well in a FAQ. That kind of thing
belongs more in a refereed, archived online magazine about
computer security. There are few/none that are vendor-neutral
or consultant-neutral enough that I'd be willing to write for them,
unless I started my own. :) [By "consultant-neutral" I mean
"not a thinly-disguised front for drumming up business for some
Another problem with the high-level discussions is that they
need to be archived and eventually removed. I find myself in the
un-amusing situation periodically of being confronted with things
that I said 5 years ago, regurgitated as gospel. People look at me
funny when I explain that reality changes and so do my views. :)
5 years is a long time -- back in those days, for example, you
couldn't FTP source for a complete UNIX clone: application firewalls
were the ONLY game in town if you didn't want to have your brain
tied down with legalisms and pay $60,000 to AT&T for the privilege.
Lastly, there's the question of whether it's interesting
anymore. I personally have trouble getting excited about firewalls
-- most of the offerings from most of the vendors are fundamentally
the same thing. That's not to say there's anything wrong with
them, it's just that it's hard to get excited about them, either.
The only area left where I could imagine things would get exciting
would be a Consumers' Reports type magazine for computer
security products. Unfortunately, I don't think the market is
mature enough, and the customer demand simply isn't there.
We *WON'T* get vendor-and-consultant-neutral reporting on
something like security products until there's enough of a
readership that it can be reader-funded.
>>Basically, I envision an entry like "Which operating system should I
>>use?" and then have a summary (perhaps a bullet-list) outlining the
>>issues in dealing with NT, when to use it, when not to; then, issues
>>with Unix, when to use it, when not to; and pehaps a summary that
>>basically says things that everyone agrees on like "you have to know
>>the OS you're using," etc., as well as perhaps mentioning that other
>>OSes besides Unix and NT can be used...
Perhaps the only advantage of being the FAQ-dictator is that
you can inflict your opinion and people can't complain because they
didn't pay for it. :) See, for example, I think, and continue to go
on record as thinking, that operating systems are completely
irrelevant to a correctly constructed firewall. So, what then is
the point of WindowsNT versus UNIX versus VMS or whatever?
Now, that's perhaps a radical opinion -- so I have kept it out of
the FAQ because I don't want the FAQ to become arguable.
If I put something in the FAQ saying basically "application gateways
and packet screening are basically the same thing if done right"
some people will squeal like stuck pigs and others will quote it
and dance in the streets. Either way, the public interest is not
served by a FAQ that is either a marketing lever or arguable.
(Hint: If I like it, it's a marketing lever. If I don't like it, then
it's inaccurate) This is the reality now that we've got a "firewall
market" with over 60 vendors and some of them doing IPOs.
>>Is there interest in this? mjr? (I'd like to know that a good summary
>>of the issue will get put into the FAQ before going ahead and writing
>>such a thing :-)
Anyone who wishes to contribute to the FAQ is encouraged to
do so. I reserve the right to reject, rewrite, or edit the
contributions. If you don't like my edits or rewrites you're welcome
to argue with me (a good argument! that's interesting!) and I'm sure
we can work things out.
Remember, people, for the FAQ to represent anything other
than mjr's opinions, you need to contribute. I'd be happy if someone
would mush my recent response about O/S issued into a form suitable
for the FAQ. I'd be happy if someone wants to review it and send
me updates subject to review. Whatever you do, use the most
recent version, which is on:
Marcus J. Ranum, Chief Scientist, V-ONE Corporation
"I'll have time to be laid back when I'm laid out on a slab"