mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 26 May 2006 09:42:32 -0400
My guess is that that VCs would split a rib laughing if someone came
to them with a business plan for a new firewall company. :)
Damn sure. And maybe that's why we have nothing like "Gauntlet on steroids"
(flexible, expandable and supported with development team who is willing
to help to integrate it with any customer application) these days, though
there definitely *is* some niche market demand for it.
It's not a matter of funding - it's more a matter that there's no economic
niche in which someone could offer such a thing and survive to continue
doing so. Because 95% of their target customer base would ignore
what they offered and follow the herd and buy whatever the big
conglomerates are pushing ( CA / Symantec / Checkpoint / Cisco, etc).
The remaining 5% of the potential customer base would represent
the clueful consumers, among whom probably 1/2 (or 3%) are
cost-constrained - have you ever noticed how being cost constrained
makes IT specialists use their brains harder? - and they'd go with
some kind of "free" open source solution. That'd leave a target customer
base of maybe 2% of the overall market. Which, in the words of
Peter Kuper "that's not a market, that's a hobby."
Kuper gave a talk I attended a year ago, or so, which was really
sobering and very thought-provoking. In it, he pointed out that if you
took the total US spend on computer security, and subtracted
out of it the security revenues of the top 5 players, you've only
got something like 4% of the target revenues remaining. So there
are 800+ security-related companies fighting over that 5% and
even if you assume the revenues get distributed evenly that's
something like $20 million / year apiece. When you add to the
mix the fact that most of the 800+ security companies on the
market are VC funded in some way, and are not profitable, it
means there's going to be a great big die-off coming in the
not-too-distant future. Throw the open source "X factor" into the
mix and it gets even more explosive - if you're a small start-up
producing a decent widget and some open source project
comes along producing a 95% decent widget you're likely to see
your economic niche shrink to a thread overnight.
We are lucky XML firewalls became reality, thanks to people who made those.
I'm on the fence about that one. Having XML firewalls is kind of
luck having a nice band-aid to put over your sucking chest wound.
Well, it's great, but you'd rather not have had the sucking chest
wound in the first place.
There is *NO* firewall with reasonable IMAP proxy implementation! No one at
There is *NO* market for one. None at all!!
Customers will prefer, any day of the week, to buy a high-speed
"deep psychic turbo packet multi layer do-diddly packet blender"
firewall that's basically an in-silicon switch that knows how to
update a state table entry and does regexps to look for well-known
attacks against IMAP. And the sophisticated customers at the
low end of the market will just grit their teeth and build their own
out of courier + postfix or whatever and have something that's
free, a bit unwieldy, but basically OK.
And when i try to tell someone i am firewall developer, they usually think
it is another stupid linux-based packet filter hacked together with bunch
of freeware tools hiding its incredible uglyness behind the web interface.
Even before i tell a word. Just because everyone does that and main competition
is to make it cheaper.
...and faster. Don't forget faster!
If you can't be good ...be really fast.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) sase (May 25)