Bad security wins out? - Firewalls

This is a discussion on Bad security wins out? - Firewalls ; Excerpts from http://www.wired.com/politics/securi...tymatters_0419 (Bruce Schneier)---Why are there so many bad security products out there? Why do mediocre security products beat the good ones in the marketplace? Economist George Akerlof wrote a paper called The Market for Lemons, which established asymmetrical ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Bad security wins out?

  1. Bad security wins out?


    Excerpts from
    http://www.wired.com/politics/securi...tymatters_0419

    (Bruce Schneier)---Why are there so many bad security products out
    there? Why do mediocre security products beat the good ones in the
    marketplace?

    Economist George Akerlof wrote a paper called The Market for Lemons,
    which established asymmetrical information theory. He won a Nobel
    Prize for his work, which looks at markets where the seller knows a
    lot more about the product than the buyer.

    Akerlof illustrated his ideas with a used car market. A used car
    market includes both good cars and lousy ones (lemons). The seller
    knows which is which, but the buyer can't tell the difference, at
    least until he's made his purchase. What ends up happening is that the
    buyer bases his purchase price on the value of a used car of average
    quality.

    This means that the best cars don't get sold - their prices are too
    high. Which means that the owners of these best cars don't put their
    cars on the market. And then this starts spiraling. The removal of the
    good cars from the market reduces the average price buyers are willing
    to pay, and then the very good cars no longer sell, and disappear from
    the market. And then the good cars, and so on until only the lemons
    are left.

    In a market where the seller has more information about the product
    than the buyer, bad products can drive the good ones out of the
    market.

    The computer security market has a lot of the same characteristics of
    Akerlof's lemons market. Good security design takes time, and
    necessarily means limiting functionality. Good security testing takes
    even more time. This means the less-secure product will be cheaper,
    sooner to market, and have more features.

    I see this kind of thing happening over and over in computer security.
    In the late 1980s, there were more than a hundred competing firewall
    products. The few that "won" weren't the most secure firewalls - they
    were the ones that were easy to set up, easy to use, and didn't annoy
    users too much. Because buyers couldn't base their buying decision on
    the relative security merits, they based them on these other criteria.

    Security testing is both expensive and slow, and it just isn't
    possible for an independent lab to test everything. A complex software
    product is very hard to test well. And, of course, by the time you
    have tested it, the vendor has a new version on the market.

    How do you solve this? You need what economists call a "signal," a way
    for buyers to tell the difference. Warrantees are a common signal. In
    reality, we have to rely on a variety of mediocre signals to
    differentiate the good security products from the bad. Reputation is a
    common signal - we choose security products based on the reputation of
    the company selling them, the reputation of some security wizard
    associated with them, magazine reviews, recommendations from
    colleagues, or general buzz in the media.

    All these signals have their problems. With so many mediocre security
    products on the market, and the difficulty of coming up with a strong
    quality signal, vendors don't have strong incentives to invest in
    developing good products. And the vendors that do tend to die a quiet
    and lonely death.



    --

    The only reason some people get lost in thought is because it's unfamiliar territory.

    ....Paul Fix

  2. Re: Bad security wins out?

    1. Stop playing web2news gateway without providing any discussion point
    2. Tell news!

  3. Re: Bad security wins out?


    "Sebastian G" wrote in message
    news:58sp1nF2in8apU2@mid.dfncis.de...
    > 1. Stop playing web2news gateway without providing any discussion point
    > 2. Tell news!


    "Many firewall comparison reviews focus on things the reviewers can easily
    measure, like packets per second, rather than how secure the products are.
    In IDS comparisons, you can find the same bogus "number of signatures"
    comparison. Buyers lap that stuff up; in the absence of deep understanding,
    they happily accept shallow data. "

    DISCUSS



  4. Re: Bad security wins out?

    Well, there is nothing to discuss, that's all true.

    Remember old firewall market leaders back in 90's
    Checkpoint FW-1, which was almost unusable. PoS. Years passed before the
    product became semi-decent,
    definitely not before 2000..2002.
    And people kept buying it!

    PIX, damn stupid PC box packet filter. And people kept buying it!

    David Smith wrote:
    > "Sebastian G" wrote in message
    > news:58sp1nF2in8apU2@mid.dfncis.de...
    >
    >>1. Stop playing web2news gateway without providing any discussion point
    >>2. Tell news!

    >
    >
    > "Many firewall comparison reviews focus on things the reviewers can easily
    > measure, like packets per second, rather than how secure the products are.
    > In IDS comparisons, you can find the same bogus "number of signatures"
    > comparison. Buyers lap that stuff up; in the absence of deep understanding,
    > they happily accept shallow data. "
    >
    > DISCUSS
    >
    >


  5. Re: Bad security wins out?

    ArkanoiD wrote:


    > PIX, damn stupid PC box packet filter. And people kept buying it!



    Which PIX models are you talking about? Most even implement ASICs optimized
    for routing and filtering with a decent ruleset compiler.

  6. Re: Bad security wins out?

    There were *NO* ASICs in PIXen, period. It's just a myth.
    (google: frankenpix and more articles on what's inside).
    It is basically a generic chinese PC with flash boot.
    The only thing that gets hardware acceleration is VPN encryption (if you
    use pretty generic acceleration cards in turn)

    Sebastian G. wrote:
    > ArkanoiD wrote:
    >
    >
    >> PIX, damn stupid PC box packet filter. And people kept buying it!

    >
    >
    >
    > Which PIX models are you talking about? Most even implement ASICs
    > optimized for routing and filtering with a decent ruleset compiler.


  7. Re: Bad security wins out?

    ...even ASAs have their PIX part as pretty generic PC with no ASICs
    (custom one, though)

    ArkanoiD wrote:
    > There were *NO* ASICs in PIXen, period. It's just a myth.
    > (google: frankenpix and more articles on what's inside).
    > It is basically a generic chinese PC with flash boot.
    > The only thing that gets hardware acceleration is VPN encryption (if you
    > use pretty generic acceleration cards in turn)
    >
    > Sebastian G. wrote:
    >
    >> ArkanoiD wrote:
    >>
    >>
    >>> PIX, damn stupid PC box packet filter. And people kept buying it!

    >>
    >>
    >>
    >>
    >> Which PIX models are you talking about? Most even implement ASICs
    >> optimized for routing and filtering with a decent ruleset compiler.


+ Reply to Thread