Tipping the King, Resetting the Board
I have to concede to Chris on several points of his latest post. I do so because:
- He definitely has more experience, than I, deploying a variety controls in a variety of environments of varying size.
- He definitely has more experience, than I, speaking to the capabilities of these controls and providing comprehensive and understandable analogies and examples.
- He definitely has more time, than I, to correlate and integrate, free and expensive, disparate and concise literature and case studies to fuel his analogies and examples and employ them in a variety of circumstances.
After all, it is what he does for a living. And he is very good at it. That is why he is listed in my blogroll and the majority of the blogroll’s associated with my daily information security firehose. Hell, it is why he can list articles in many hard and soft copy information security publications.
Me, on the other hand, I am a security professional wielding my experiences and knowledge to the best of my ability to provide my employers and customers with the same level of service Chris provides despite my limitations due to time in service. I use my experiences with technology, interactions, and introspection to form my conclusions and present them as the very best solution for the situation. I will personally guarantee the deployment of every one of my recommendations and the provide mitigation suggestions when it is, as we know it will be, circumvented, exploited, outdated, outclassed, obsolesced, ineffective, unmanageable, flappable, overly expensive, or just plain wrong. In other words, I am confident and I am willing to make mistakes because I can fix them and the majority of the time I will not make them again.
I truly think that this whole blogging interaction started because of my attempt to be flamboyant about the topic to draw attention to it. Unfortunately, as most gussied up topics do, the central point of the discussion was lost for a while. Luckily, in his last post, Chris brought it back around. Let me try to talk about my point in very plain English.
I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure. I have a problem with these solutions because the technologies they are combining on one system are not simple applications. They are robust technologies with a lot of complexity and I am afraid that the vendors will not take the interoperability of these technologies into considerations before they push them to market. I would much rather recommend to my employers and customers that we limit the utilization of such technologies to select portions of the internal network where they can provide the most value with the least concern. I feel much better placing tried and true simple, relatively speaking, controls at the locations associated with high risk. I don’t have full proof examples. I don’t have case studies to back up my hypothesis. I have my feelings and opinions. And, actually, since I am not dealing with Fortune 500 CEOs, CTOs, CISOs, and patent producing PHD weilding end users, I don’t really need it. In the realm of the small, limited budget, network, my feelings and opinions have been, to this point, sufficient.
Next, I don’t think I have a problem with purchasing a UTM to provide a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell because I believe that UTM developers have taken the complex nature of these technologies into consideration. I was hoping that somebody I know would respond by telling my, and their, readers whether or not UTM solutions are better than the “all-in-one” firewall solution advertised in the DarkReading article, and why. If I had to guess, because of my aforementioned lack of UTM experience, I would think that UTMs separate the responsibilities in much the same manner as role-based control.
Can anybody answer this question for me? It is all I really wanted out of the whole conversation.
So, Chris, I lay my King down so that we may reset the board and start the next conversation fresh. I think you are correct when you say that I need to provide more clarifying evidence during my conversations. I will take it to heart as much as I can in my day to day security related duties. I’ll even attempt to do so in my blogging. But, as my blog is more for personal edification, education, and venting I have a feeling that a few misguided and ill-informed opinions will slip in from time to time.
Go forth and do good things,
Don C. Weber
UTM, security, complexity, Security Ripcord, Chris Hoff
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
December 13th, 2007 at 1:50 pm
Don:
I’m not trying to be the king, but I think the point here that you’re missing is that there’s little if no difference except for a marketing handle between UTM devices and “all-in-one” firewalls like those mentioned in the DR article.
What I mean is when you said “I have a problem with vendors who are developing products that provide many security controls on one system (not UTMs, I’m talking firewalls performing a combination of spam detection, anti-virus, protocol analysis, data evaluation, and whatever else the vendor thinks will sell) and selling it as the ultimate solution for the perimeter of a company’s infrastructure.”
…that *IS* UTM, especially within the realm of the small business/small enterprise.
The reason it exists beyond what you allude to as (almost) vendor greed is actually the “natural” market convergence of functionality over time where features/functions become commoditized and are integrated into larger solution sets.
At a high-level I will agree that statistically based upon current industry trends of errors per lines of code that you will, on average, see the additive effect of combining functions when you add new features, but many of these errors do not lead to exploitable vulnerabilities.
And finally, in terms of risk, there are many facets of the definition: financial, operational, technical, reputational, etc…
In using these products – whether you call them UTM or not – a decision is made that given the maturity of these products, the cost and “complexity” of maintaining 5-6 disparate systems, the need to streamline operations, etc. outweighs the risk of combining these functions.
Most SME/SMB’s do not deploy multi-vendor, split DMZ architectures, so they do rely on a single product and have for years…
It’s getting much more difficult to find “just” a firewall, “just” and IDS, etc. Each of these product catagories are becoming more and more blurred as they all — wait for it — add functions to remain competitive and give the users what they want. More bang for the buck.
And just for the record, the Palo Alto box (today) is not positioned to replace the firewall, it sits behind it.
Is this “poor architecture?” Possibly, depending upon your network, your business requirements and your risk tolerance, but suggesting that in general it’s a bad idea is, well, a bad idea.
Again, I wasn’t posturing up and trying to be all that, but my experience does count for something in my opinion and it tells me that while you’re concern is reasonable, it just isn’t in step with the realities of what the market requires or needs.
There will always be exceptions.
The beer is still yours.
/Hoff
December 13th, 2007 at 2:40 pm
Chris,
That explanation is exactly what I was looking for in the first article. Thank you for the clarification. You tend to put things into perspective very well and I am glad my readers, and myself, could benefit.
Tipping the king is in reference to conceding a Chess game because of an untenable position. I wasn’t referring to you as trying to be “The King” because everybody knows it’s me, baby.
The reference to the board being reset is my way of saying that it is time to start the next game in the match. I’m sure a topic will spring up.
Go forth and get me that beer <- Which is definitely a good thing!!!
Don C. Weber
December 21st, 2007 at 4:18 am
I think what they are calling an All-in-one firewall is just an Application Aware one. It’s a firewall that can differentiate between the different applications even when they all use the same port or even use the same protocol (eg. HTTP).
But I think these are subset of UTM’s. They can’t Identify Applications but I don’t think they can detect worms (IPS), viruses (Antivirus), spam (Antispam), or filter URL’s (Content Filtering).
They can differentiate between a Web Based Email, Web Based ERP Application, and Web Based File Sharing. But will they be able to detect spam in that Web Based Email, or XSS attacks in the ERP Applications, or Viruses in the files shared on the File Sharing Application?!