mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Thu, 25 May 2006 21:55:05 -0400
At 08:24 PM 25/05/2006, Marcus J. Ranum wrote:
Hey M. JR!
I think it's going to happen no matter what anyone wants. Because
the security market is consolidating into 2 types of companies:
- single solution VC-backed start-ups chasing the hot topic du jour
- huge mega corporations that don't actually develop anything and
simply buy and integrate technologies to a greater or lesser
...and that's not all bad.
o The best gadget in the world is no good if the maker doesn't survive to support it.
o Another analog to twist would be: a bunch of talented and enthusiastic guerillas may be good at the start of a
conflict, but when it gets really serious you'll be unhappy if you are not the one with the integrated weapons
Basically, 'best of breed' only survives in a market that has not
stabilized yet, and security has stabilized to the point where, basically,
it's just marketing weasels coming up with cool new names for proxies,
packet filtering, and signature matching.
Inasmuch as proxies, packet filters and signature matching have been done already, there isn't anything left but for
Sears and Walmart to argue about whether theirs is 8% greener or cheaper. I mean, if an engineer at Volvo comes up
with a really neat material for a crank bearing it isn't going to change the world by itself.
I agree with you that best of breed and defense in depth make a great
deal of sense but the commercial security market will likely not support a
vibrant vendor-base much longer.
An interesting proof of open source philosophy would be Enterprise-viable open source solutions large and small that
would compete with commercial offerings. With a stabilized market, there shouldn't be any reason that the open source
community couldn't amass a large enough variety of tools and mature integrated/ing packages to drive competitive
evolution in commercial products. To date this whole infrastructure is only half baked so open source isn't any more
complete, consumable and reliable than some single-vendor or psuedo-BoB alternative, but given time to stretch its legs
I'd be disappointed if it didn't show well.
Open source is always amazing at coming up with new things. Let's see if it can come up with scalable security.
Indeed, my guess is that security,
as a market separate from network infrastructure/management and
system administration is not likely to last another 10 years. If you
look at the current trends, it may even happen that the security market
will be mostly gone in 5. Once the big players have absorbed enough
basic security features they'll be able to suck the oxygen away from the
remaining small players by offering those features as freebie option-ons
and it's "game over, man."
Ten years from now we should have at least a solid handle on the complete model of what a secure global internet thing
looks like. If there are still waves of security-topic-of-the-day startups being funded 10 or 15 years from now then
hosts will have to actually suck more than this unprotectable windows piece of cr () p I'm typing on now, and we've all
screwed up in letting it drag on so long.
Maybe the current crop of startups is among the last and will mature out in five years or so, but I think things are
still more screwed up than that. Specialized security startups could pop up forever, but there has to eventually be an
"end" of sorts to inventing basic nuts and bolts.
By the way, NONE of this will result in the end users having usable
and effective security. Remember, the security market does not exist
to provide security; it exists for itself. When it's a dried-out husk the
game will move someplace else and you'll STILL have insecure
Maybe it's the longer cycle that contains the Secure Solution. Let the rabid growth and invention phase move past and
allow to cool on a window-ledge for a few decades...?
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com