This is a discussion on Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) - Firewalls ; At 09:00 AM 26/05/2006, Paul D. Robertson wrote: >On Thu, 25 May 2006, Chris Blask wrote: > >> o The best gadget in the world is no good if the maker doesn't survive >> to support it. > >Sure it ...
At 09:00 AM 26/05/2006, Paul D. Robertson wrote:
>On Thu, 25 May 2006, Chris Blask wrote:
>> o The best gadget in the world is no good if the maker doesn't survive
>> to support it.
>Sure it is. The vendor isn't the only choice for support, and if it's
>good enough to be the best, it shouldn't *need* regular support.
I don't believe in static security. If something was good enough to be best it would still be imperfect.
The "vendor" could be the open source community, in which case the source is there for everyone to support, but a great product from a dead or badly-acquired company can be worse than useless.
>>o Another analog to twist would be: a bunch of talented
>> and enthusiastic guerillas may be good at the start of a conflict, but
>> when it gets really serious you'll be unhappy if you are not the one
>> with the integrated weapons platform...
>1. You're comparing apples and oranges, soldiers against weapons.
>2. With the right guerilla force, the shiny new expensive platform is
>already useless by the time you deploy it *if it even makes sense for the
>conflict you're in rather than the last conflict that happened when the
>weapons platform makers all got their contracts.
Analogies are never very accurate (my favorite quote from an English teacher in HS: "There is no such thing as a synonym").
However, to pursue the military analogy:
>History is full of tales of the vanquished who've felt their superior
>large-scale do-everything weapons could win. That's one of the reasons
>the US strategy to go to small light and mobile divisions is interesting-
>it's a step away from the tradional "bigger, more" philosophy of
>multi-billion dollar pork projects and Congress forcing the purchase of
>ineffective integrated weapons platforms.
o The reason the US military can sucessfully use "small and light" tactics today is that they have an integrated weapons platform. Robust standardized components tested to death (pun) interoperate in well defined ways, and small changes are enormously vetted before being released to the battlefield. Inventing new guns that take new bullets and are given to soldiers with new communications systems that use new protocols to sync up with new command structures that analyze data in new ways and provide tactical feedback in new schemas - well, that just wouldn't work real well. "Small and Light" in the US military context is only possible because they have developed "Huge and Heavy" amounts of testing and experience.
Of course, "small and light" can also be "we're just making this sh*t up as we go along and don't mind dying", sometimes introducing the surprising successes of randomization. Ironically, by the time a new technique discovered that way becomes wide-spread, it often loses the characteristics of surprise and flexibility that makes it successfull.
In infosec today we are coining terms and creating methods on a daily basis - this is not a mature area of endeavor. When it is a mature space, we will have much more "integrated" "weapons platforms", whether single-vendor or standards-based.
>Paul D. Robertson "My statements in this message are personal opinions
>firstname.lastname@example.org which may have no basis whatsoever in fact."
>http://fora.compuwar.net Infosec discussion boards
>firewall-wizards mailing list
>No virus found in this incoming message.
>Checked by AVG Anti-Virus.
>Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.392 / Virus Database: 268.7.0/345 - Release Date: 22/05/2006
firewall-wizards mailing list