about firewalls and bonds

If you're lucky enough to not be involved in the drama of the computer security industry, you've probably not noticed the near-flame wars going on about de-perimeterization and the Jericho Forum.

I won't get into the details, because, as in most flame wars, they don't matter. But one thing in the latest salvo really got my hackles up. Not for the arguments, but for the disclaimer:

I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)

Poppycock. People change jobs all the time. Do you believe it when a CEO leaves a Fortune 500 company "to spend more time with his family"?

Part of my reaction comes from not being in marketing. An engineer is allowed (hopefully expected) to have a nuanced view of things. If a marketing person does, they're not really doing their job right. And engineers move across sectors a lot more, too. Non-competes play a part, of course, but after a period of time a given segment stops driving our curiosity; moving around keeps us fresh.

Over the past 10 years, I've built product for security companies selling all sorts of things: penetration testing, scanning, auditing, recording, DDoS defense, network profiling, remediation. I'm currently doing interesting work for a UTM vendor (just like the poster of the above disclaimer, although he won't call it that), which would seem to put me in the "network-based" defense category. But I'm also personally building some host-based defense mechanisms.

Which of those are the "best" way to secure your computers? It's a foolish question. Most people need a mix of those solutions, and just which mix depends on your situation. I currently deal with a lot of SMB (small- and medium-sized businesses, if you're not up on the lingo), which makes sense since I'm working for a UTM vendor, and that's the nice sweet spot for UTM's. Those customers have limited internal expertise and limited dollars, so an all-in-one package does a great job.

Occasionally customers will ask me if they should get rid of their host-based defenses, like antivirus software. My answer always comes down to "are you happy with it?" For most people, they don't care, so they leave it alone. But other folks get really pissed off by Norton Anti-Virus.

It's true that host-based defenses can open up new holes. You can read the argument of a maker of network-based defenses on why. (The points are valid, but just remember that you're reading the page of a vendor biased against host-based solutions, who avoids mentioning that network-based solutions can create vulnerabilities too.) However, there are threats that network-based defenses just can't deal with, like malware on removable media or encrypted connections.

For a lot of people, these threats don't matter, or are so small compared with their network threats that they'll just deal with them as is. But it's incorrect to try to wave away these threats, such as saying "well, they should have policies against that" or "no one really does that any more."

I'll close with a quote I think I got from financial analyst Allan Sloan, but couldn't find. "When Bill Gross (manager of the world's largest bond fund) talks about stocks, he's really talking about bonds." So when a marketer of product X talks about Y, he's really talking about how Y is inferior to X.