the discussion of firewalls and antivirus

Posted on by michael

Often, a 140-char Twitter post isn’t enough to convey a message. In fact, sometimes accessible blog posts don’t give enough meat to a discussion that deserves it. This can probably be said about the current discussions on firewall or AV (or more broadly: “old”) security technology effectiveness. The bullet points usually aren’t good enough to do a topic justice (which sometimes means we’re arguing two different nuances of the same position…).

(Aside: I really hate how Google Reader links tack on extra crap behind a URL; which means I have to get rid of it when linking to stuff found via it.)

Anyway, Beau is back to blogging and threw out a post, “Firewalls and Anti-Virus Aren’t Dead – Should They Be?” which itself is a response to one from Wendy Nather, “Why We Still Need Firewalls and AV.”

(Aside: It might not be proper to call them antivirus tools anymore, but I also still use the term “video” when I mean DVD/Bluray, or to “tape something” as in record it. That’s not meant as a dig, though it certainly makes me grin to think of this analogy.)

This is a necessary and healthy discussion to have, even if I am not terribly open to the direction (wet blanket comes to mine). I totally encourage any other bloggers out there to also chime in, because Wendy’s closing question is really still unanswered, and it’s the Big One, ya know? “So if you don’t agree with me, and you’ve really stopped using these products, I’d love to hear about how you’re addressing those classic threats, and what controls you replaced them with.”

(Aside: This same feeling exists in the whole Down With Patching movement…)

I really require hard proof that techX isn’t working anymore (I already agree it’s not as effective, but that’s different.). And I also require an alternative (something business/management learns you pretty quick) that matches the technology one-to-one and/or improves upon it. Many vendors think this means making Super Boxes that do so many things with covers on top of covers to shield me from the guts of the surgical tools, and I tend to disagree with that approach.

(Aside: I left a comment on Beau’s post, and I’m thrilled to say I only needed one attempt at the captcha to post “anonymously” [or at all]. This is rare, and actually reduces my commenting in outside areas, like the HP evangelist blog which pisses me off to no end each time I try… Of course, InfoSecIsland gets no comments from me because of the login req…)

I do want to bring out just one part of Wendy’s post at the end that I liked, “They [users] need to know what each security product will and won’t protect, and they need to understand this in a non-technical way…” This is partly why it sucks to talk to security vendors today. Their products are too big and bloated for an elevator pitch that doesn’t dive deep into hyperbole. And too complex to understand them well enough to sell them this way. They conflate their protection (DLP is notorious. Also I had a large endpoint security provider today use the words “100% secure” after rolling out their endpoint solution remotely…). And they latch onto compliance and media scares for attention (ok, I do the same thing, since compliance has given me more tools than I’d have without…). The vendors that do this leave a bad taste when dealing with anyone in the whole industry space, which is a shame.
(Aside: Oh, and I think Beau actually agrees with both Wendy and myself [RE: paragraph 8 from his post], it just kinda kneejerk sounds like he doesn’t.)