Thursday, December 20, 2007

But What Does It ACTUALLY DO?

A great follow-up to my post On Security Marketing: Marcus Ranum rants on what stateful firewalls "actually DO." He says:

"One of the fun questions I used to ask my firewalls tutorial
attendees (back in the day) is: What is a stateful inspection firewall? I.e.: what does it DO?

The answers are usually illuminating. Nobody seems to actually know." (more here)

I think if you are buying a security product, you should always know WHAT IT ACTUALLY DOES!

And if you hear, "Oh, it does, you know, 'risk management'!" - you know what to do (hint: it includes a rotten egg, throwing and running away - in whatever order you prefer ...) :-)

UPDATE (12/22/2007): this is NOT about stateful inspection, this is about a) bad marketing and b) opaqueness of some security vendors about what they do. Come on!

Possibly related posts:

8 comments:

Anonymous said...

Ironic. I try to follow the link to "read more", and I get an error saying the SSL certificate is for the wrong domain.

Practice what you preach, and all that...

Anton Chuvakin said...

Totally - this icsa labs list archive is very annoying due to SSL :-(

Anonymous said...

How constructive of you! ;)

Given the fact that I've already expressed disappointment with the quality of the answers from Nir on the rather specific questions I asked about the PAN product, I'm wondering about your point, exactly.

I explained the "rules" of the interview process; I email the questions, they email them back. There's no back and forth, no edits and no "do-overs."

So, besides pointing out the fact that these answers are marketing suckage, what do you hope to accomplish?

Me? I've had one of the boxes sent to me. I've actually been testing it for 3 weeks. I'm actually interested in validating some of the claims empirically instead of just dismissing them on a listserv because it's more fun to be dismissive and negative and get the King of firewalls all a-fluff.

...and I've emailed Marcus about this.

I'll be publishing my results shortly. It won't be marketing in nature.

The "argument" you're promoting is dusty and pointless beyond the obvious.

I have no interest in Palo Alto other than the fact that the architecture of their solution is very interesting (from a HW/SW perspective) and I have numerous clients who have asked for a deep dive.

See you on the flip side, Anton.

/Hoff

Anton Chuvakin said...

@Chris:

Are you sure you posted your comment to the right blog/to the right post? My blurb that you commented on has nothing to do with Palo Alto or your interview, just with the fact that many folks who sell security gear and make it hard to figure what it actually does. I had to review a website of some security vendor who overused the words risk, threat, etc and that actually motivated this post. I am not really "hoping to accomplish" anything with this, but if I have to phrase it like this than I am trying to make people be a bit more specific in their product descriptions....

So, please clarify why you started feeling so defensive?

Anonymous said...

Anton:

Please see the UPDATE section above. The link fronted by the words "come on" is a link to my blog. Perhaps you posted this comment on the wrong post on your blog? ;)

Further, the original post that you referenced on the FW-Wizards list pointed to the interview questions I asked Nir.

Look, I'm not defending Nir, Palo Alto, or his answers. I think they sucked, too. I *am* just wondering why you continue to delight in poking about supposed claims made by a vendor that seem to get Marcus all wound up but I don't see you making an effort to actually dig deeper.

I'm speaking specifically of the Palo Alto product.

Sorry if I come across as "defensive." I actually meant it to be "offensive." ;) The reason for which is that you're hitching a ride on a discussion that has no real point...

It's not like you've singlehandedly discovered the funny business of product marketing...

What gets me wound up is when people make judgmental claims about technology they've never actually seen, used and in some cases don't understand. Some criticism is justified, but a lot of this stuff is just part of the game.

I'm sure that there's stuff you've seen on a website of a company you work for that doesn't right true to you.

I think that it's just as silly to judge a company and its products on their marketing materials as it is to answer technical questions with marketing answers...

I mean, you could pick on any company's marketing efforts, even LogLogic's.

Take this for example:

"first multi-dimensional search accelerates IT forensics and insight, mitigating security and compliance risks in seconds."

Really. These log management products can "MITIGATE security and compliance risks?" All I need to do is deploy your solution?

Come one. We both work for vendors. It's best not to call the kettle black...

Sorry, but this whole thread just rubbed me the wrong way.

/Hoff

Unknown said...

With the risk of sounding like a Check Point fanboy ...

Check Point have never been very closed about what Stateful Inspection really is.

It isn't magic but it is quite neat technology and when the Linux kernel got some it made it possible to actually use Linux as a Firewall.

In fact, to pass the CCSA (the first basic Check Point exam) you have to know what stateful inspection is.

Anton Chuvakin said...

TO Chris:

I will respond in more depth later when I am back from my vacation, and I will try to stay more objective.

You are also 100% that many vendors (including my employer ... at times) use confusing messages to market the tools, which are (in our case, at least) genuinely useful AND work well. The piece you quote is indeed an example of what I somewhat dislike in security marketing (wow, I did say it, didn't I? :-))

>It's best not to call the kettle
>black...

I would like to call the kettle black if it is black... at least in this case! I start hating life when I look at someones website for 30 minutes and doesn't tell ANYTHING about a) what they actually do and b) how it actually works.

Anonymous said...

Fair enough, Anton.

I just wanted you to understand why I reacted the way I did.

/Hoff

Dr Anton Chuvakin