People here have been arguing over
1. Is it better to have source?
2. Do anybody need source?
A simpler and more complete way to phrase the question is:
"How valuable is source to each party involved in a software/firewall
There are basically two types of decision makers:
A. Those who in the end are responsible for network security
B. Those who pay them
B types don't care at all about source. They just care that the job gets
done. They make a choice of hiring an internal tech guy, hiring a
consultant, and purchasing shrink wrapped solutions.
Each A type doesn't want anyone else altering their setup. It is their
ass thats on the line and they want to know that they are only
responsible for the decisions they make.
*Shrink Wrap Vendors
Therefore the shrink-wrap vendors believe themselves to have final
responsibility for security. They don't want to be held responsible for
screw-ups by end-user altering their software. They have also innovated
and want to earn revenue from their innovations. They have many customers
so the needs of individuals customers aren't all that important. They
can force some to wait for fixes to various problems and for ports to new
Aren't doing much innovation. They are responsible for customization at
the site, and need access to some configuration tools. In essence, they
value-add other parties packages. They seek the safety of being able to
blame the vendor. They are most interested in the two layer (security,
config) approach disscussed earlier.
Knows that the real responsibility lies with them. They are incredibly
concerned about each detail of the software on their system. They are
doing the maintenance and know that their head is on the block if things
break. They feel the need to know everything that is going on and they
need to have bug fixes yesterday. It is Internal IS that most wants
Given these needs how about a component solution:
Software vendors: Rather than packaging monolithic tools, vendors
distribute small testable pieces. They can show that each of these
pieces works and can therefore avoid some blame for end-user
Security Consultants are responsible for integrating the pieces (knowing
that each is secure). Security consultants are responsible for keeping up
with news relating to all security products and keeping their clients
Internal IS: Gets pieces they know work (thanks to the vendor), in an
observable and (hopefully)reliable configuration thanks to the
consultant. The Internal IS and swap individual pieces as necessary
because the pieces are functionally easy to understand. They get updates
about problems and prospective fixes. Since the pieces are easy to
understand, the consultants can replace them with other pieces as bugs
S. Alexander Jacobson Internet Virtual Office Inc.
com Consulting info @
http://vo.com/people/alex/ ** http://virtual.office.com
1-212-799-2645 voice Technology gopher.virtual.office.com
1-212-799-1075 fax Strategy telephone: 1-800-TODAY-VO
Re: TRUST US?
From: "Johnson-Bryden, Ian" <IJB @