So, this news article citing Abe Singer's anti-firewall rant came across my inbox this morning. Basically, Abe's point is that too many people are spending too much money on firewalls, which don't really do all that much in light of the expense. The article is filled with quotes like, "Too much of the security budget is being spent on firewalls which also get too much attention [and] it's also 'cool' to have a new firewall to play with" and "You really need to think through your processes [and] relying on a firewall means you're probably doing security wrong."
Now, I'm not going to say that I think firewalls are all that and a bag of chips, but I think Abe is missing the point - after all, he's an academic and not working in the enterprise. A good many industries are regulated to some degree and others are subject to audit for some reason or another - if they are not regulated themselves, they might sell services for which they'll be asked for a current SAS 70. Guess what? These regulators and auditors will put a check in the big "no" box under the line item "firewall" if you don't have a firewall - no matter what your other compensating controls; a check in the no box is deadly - no matter what Abe might tell you.
No matter what Abe says, enterprises don't install firewalls just because they're "cool" or because security folks in enterprises are ignorant - even if the security organizations could ensure equal security (for less dollars) without a firewall, they would still install one so that the regulators and auditors can check "yes" on the firewall box rather than "no." Seriously. In my experiences, auditors and regulators are usually not super tech-heavy. If you're in the security group of a bank, can you imagine explaining to a non-technical OCC auditor why you don't have a firewall? How about explaining it to DISA if you're a government entity or contractor? How about VISA - if you're a merchant, do you want to go toe-to-toe with VISA to explain why you're not in strict compliance with their rules? None of those choices sound fun to me, but thank you all the same Abe.
Of course, this all discounts the fact that if you do get attacked and you don't have a firewall that you're going to look like an idiot.
Just my two cents.
I'm not sure how to use it, but as tools go, this one is really cool. It will find connections between two arbitrary terms via content on the Internet. It's also interesting that going from "rootkit" to "Department of Homeland Security" goes through Microsoft - hidden meaning, you think?
Along with the rest of the world, I've been gearing up these past few days for the upcoming release of the next installment of everybody's favorite young wizard. In the process of delving into the fantastical, I happened across an online serial fantasy tale from Lawrence Watt Evans, being released under the auspices of Schneier's Street Performer Protocol.
This is interesting, because it's the first book from a published author that I've heard being released in this fashion (feel free to correct me if this is in error) - the "blender" software proved the model with software, but the developer went out of business afterwards, so we didn't get to see how it worked out long-term. This is interesting experiment to watch to see how this concept works with books.
So, how's it working out so far? According to the author, he's paid through several chapters ahead and the system is working better than he anticipated.
Score one for Bruce.