mailing list archives
Re: Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 26 May 2006 12:49:05 -0700
In infosec today we are coining terms and creating methods on
a daily basis - this is not a mature area of endeavor. When
it is a mature space, we will have much more "integrated"
"weapons platforms", whether single-vendor or standards-based.
argh. i resisted as long as i could...
back in the distant past when i was teaching eager young network admins
about VPN technology (say, 1997), i would frequently predict that within a
couple of years, there wouldn't *be* any third party VPN systems. things
like opportunistic encryption and IPv6 (which incorporated the kinds of
things you were "doing" with the VPN anyhow) would be widely deployed within
operating systems' network stacks. you might have one or two serious niche
vendors for things like military and hard-core financial, but for most folks
"what the computer did" would be good enough.
now, of course, i point to the timeframe of that prediction as an obvious
sign of my being *way* too optimistic about the market. but i think the
*idea* is still valid, if taking way longer than it would in a more rational
think about user authentication. once upon a time, we didn't *do* user
authentication, cos there just weren't very many people on the machines.
then it became necessary -- and users *bitched* about the great torture of
having to type their poorly-chosen passwords -- and now hardly anyone thinks
about its necessity. yeah, there are a couple of companies trying to make
high end, uber-auth-on-steroids versions -- and yeah, there are lots of
problems in the current design, like dependence on re-usable passwords and
lack of ability to do really fine grained authorization based on userID or
org role. and oh joy, single sign-on. but in fact the incorporation and
acceptance of user authentication on a system-by-system basis is something
no one really argues about any more.
MS, heaven help us all, has taken the idea of user authentication and
authorization a step further by building the *only* possible enterprise wide
IPsec management infrastructure in the world, by allowing orgs to tie user
rights and machine communications policies into a crypto infrastructure.
they've been using that capability since before blaster, to give admins a
better way to do firewalling than using the silly firewall that comes with
XP. this is a huge big deal, and they've done it very quietly. i don't
understand *why* they're so quiet about it, actually, especially with all
the current ruckus about "NAC." fact is, although the unix-loving-MS-bashing
crowd in which i occasionally run (*grins*) would never trust it, the
combination of active directory based policies and IPsec based network
enforcement has *already* put the entire community of third-party NAC
vendors out of business. your enterprise windows admins have invested years
of time and energy into building the right set of policies for their
organization, and they're not going to take kindly to a third party telling
them they have to replicate all that policy info in a separate location.
again, there may be an exception for the few orgs that want something really
posh, or haven't figured out how to do the same management tricks for OS X
and unix with ipsec.
but if you step back from the marketing fireworks and the OS religious
battles, and think about what you actually want to DO with a particular
security technology...surely there's a utopia out there somewhere in which
all those functions are incorporated into the OS itself, in EXACTLY THE SAME
WAY that operating systems now have user authentication (for better or for
worse) and a TCP/IP stack incorporated.
long term survival will go to the folks who learn how to integrate what
they're doing into what "most folks" already do. and of course, to us poor
slobs who have a knack for making them all play nice together...
hmm. good thing i polished up my rather battered crystal ball :-) in time
for the long weekend.
cheers - tbird
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com