In some random browsing (and ranting!), I ran across a post by Ron Newby which talked about a recent quote from Matasano. Ron reacted to Matasano’s: “Firewalls are underrated, but only by an industry which is perpetually looking at selling you the next new thing.”
I think the point here is simply a paradigm difference between how people get things done. It might also be reflected in that Matasano guys likely use the tools whereas Ron has been on the sales side (or has that background).
If you have to dig a hole, do you expend some energy and use a shovel, or do you rent a backhoe (with covered canopy, internal air venting, a scoop on the other end, new paint job…)?
On one hand, you spend time and effort to do what is maybe a more surgical job with a tool that will almost certainly not fail you. (And you better have the back for it!)
On the other hand, you save time but may have to wait in line to acquire the equipment, maintain it, operate it, and probably lose some surgical ability with a large scoop and machinery between you and the ground being broken.
And of course both choices still require measuring where the hole should be, dealing with the excised dirt, tracking the progress, making sure the direction is clear, etc.
There is merit to either situation such that I would never dispose of one or the other. However, I will never say, “…they are promoting firewalls, which suck, and will always suck, and should be shot…”
What should I have instead of my firewalls?* Some UTM that runs on clunky Java and tries to do 39 different things, none of which is does exceedingly well and only 3 functions I need for a consulting gig at a ma and pa shop (because their marketing teams place more emphasis on number of features rather than useful/valuable features)? Sure, there’s the age-old “security religion” issue where one side will denounce firewalls because they can’t stop everything, but that’s, again, a paradigm and a situational difference. Not a universal right or wrong, value or non-value.
I agree with Matasano that it sucks we keep having vendors push new things on us over and over and end up driving a lot of the security we see in the press today (yay marketing and sales cycles!). I mean, they have reasons to innovate for their own economic gain; not necessarily because the security industry has new needs.** And I will say that just because something is new, does not mean it adds value to me beyond tried and true tools from the past.
* Fine, yes firewalls should be better defined before denouncing or defending them. And yes, firewalls that have no context into application layers 1-7 have less utility.
** There are new things, don’t get me wrong. Old tools won’t protect new stuff like virtualization or newer web 2.0 coding languages or practices, for instance.