On Sat, 1 Nov 1997, Russ wrote:
> IMO, TIS are extremely concerned, now that they are a public
> corporation, with the marketing perception of AGs. The fact that two SPF
> vendors are equaling their shipped boxes figures must have a significant
> impact on their expected projections. Fred Avolio has combined valuable
> information with marketing specific rhetoric in an attempt to refocus
> potential customer attention on what should be a very important
> decision.
Which is immaterial to the subsequent discussion of technical features
which ensued.
> Its extremely expensive, and very difficult, to prove that one
> implemented Firewall is "better" than another implement Firewall, in the
> same facility. Recreating the test traffic to obtain a valid comparison,
> while ensuring that the traffic is "real-world" to the customer's
> regular traffic, normally prevents such comparisons. Therefore, the
> marketing of SPF vs. AG must come down to "religious" issues for most
> customers.
Which doesn't mean that a number of people haven't done such tests. I
think your predicates may hold true for 'most customers', but that
different predicates, and resultant answers should apply for security
professionals. Just because you, or your customers, or your company
(genericly, not personally) can't do valid tests doesn't make valid tests
any less relevent.
> I think Frank made a valid point, originally, when he said that this was
> a new tact for TIS, and one he didn't appreciate (regardless of his
Not very new, it was discussed quite some time ago on c.s.f.
> If, as security professionals, you don't appreciate the marketing battle
> that's been going on for the last 2 or 3 years, I'd suggest your missing
> something. SPF vs. AG give customers a basis to describe their general
If, as security professionals, we don't take the time to learn each of the
issues behind the technologies, and can't seperate the marketing issues from
the technological ones, then I'd suggest we'd be missing a bigger piece of
the pie. I'm tasked with evaluating and implementing technologies, not
marketing departments. That requires that I know to ask if a packet
filter drops FO=1 packets, or if an application gateway MITMs SSL to pass
it through an HTTP gateway, not if "hackers prefer xyzzy", or "Wunderwall
is sold in K-Mart with a bottle opener."
> in their terms). Understanding, fully, all "generations" of Firewalls is
> essential, just as essential as understanding perceptions about those
> "generations".
Being able to understand and articulate the technologies are more important
for those of us in the field. If one of my business units is trying to make a
security decision based on perception, it's my job to go hit them with the
clue hammer. That generally takes a day at the white board, irregardless of
which perception they're making the choice based on. Calling them
generations is IMO a misnomer, since I don't happen to believe that they
are replacements for each other. They're different animals, they can and
do interbreed into hybrids, but there are circumstances where one is more
appropriate that the other for each case.
I've got some problems with the way some application proxy vendors
(including TIS) handle some protocols as well as the way that packet
filters handle them, but after the intial vendor bashing, this thread was
about the technologies and we've only gone to implementations where it was
necessary to prove or disprove a point. For what it's worth, this thread
has probably been the best overall discussion this list has had in about
a year.
I've put packet filters, application gateways, and hybrids into various places.
I think I've got a good grasp of the technologies, as well as the
implementations. I also have a good grasp of the business case and the
particular threat models. While I'm aware of the marketing issues, I
don't think they are relevent to the technical discussion which this
bloomed into. I don't known why we're vectoring back to the marketing
stuff here, since the first couple of notes pretty much covered that ground.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
Follow-Ups:
References:
|
|
