Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: Chris Blask <chris () blask org>
Date: Fri, 26 May 2006 09:51:17 -0400

At 09:00 AM 26/05/2006, Paul D. Robertson wrote:

On Thu, 25 May 2006, Chris Blask wrote:

o The best gadget in the world is no good if the maker doesn't survive
to support it.  

Sure it is.  The vendor isn't the only choice for support, and if it's 
good enough to be the best, it shouldn't *need* regular support.

I don't believe in static security.  If something was good enough to be best it would still be imperfect.

The "vendor" could be the open source community, in which case the source is there for everyone to support, but a great 
product from a dead or badly-acquired company can be worse than useless.

o Another analog to twist would be: a bunch of talented
and enthusiastic guerillas may be good at the start of a conflict, but
when it gets really serious you'll be unhappy if you are not the one
with the integrated weapons platform...

1.  You're comparing apples and oranges, soldiers against weapons.
2.  With the right guerilla force, the shiny new expensive platform is 
already useless by the time you deploy it *if it even makes sense for the 
conflict you're in rather than the last conflict that happened when the 
weapons platform makers all got their contracts.  

Analogies are never very accurate (my favorite quote from an English teacher in HS: "There is no such thing as a 
synonym").

However, to pursue the military analogy:

History is full of tales of the vanquished who've felt their superior 
large-scale do-everything weapons could win.  That's one of the reasons 
the US strategy to go to small light and mobile divisions is interesting- 
it's a step away from the tradional "bigger, more" philosophy of 
multi-billion dollar pork projects and Congress forcing the purchase of 
ineffective integrated weapons platforms.

o  The reason the US military can sucessfully use "small and light" tactics today is that they have an integrated 
weapons platform.  Robust standardized components tested to death (pun) interoperate in well defined ways, and small 
changes are enormously vetted before being released to the battlefield.  Inventing new guns that take new bullets and 
are given to soldiers with new communications systems that use new protocols to sync up with new command structures 
that analyze data in new ways and provide tactical feedback in new schemas - well, that just wouldn't work real well.  
"Small and Light" in the US military context is only possible because they have developed "Huge and Heavy" amounts of 
testing and experience.

Of course, "small and light" can also be "we're just making this sh*t up as we go along and don't mind dying", 
sometimes introducing the surprising successes of randomization.  Ironically, by the time a new technique discovered 
that way becomes wide-spread, it often loses the characteristics of surprise and flexibility that makes it successfull.

In infosec today we are coining terms and creating methods on a daily basis - this is not a mature area of endeavor.  
When it is a mature space, we will have much more "integrated" "weapons platforms", whether single-vendor or 
standards-based.

-cheers!

-chris


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]