Next-gen firewall makers go head-to-head

Representatives from security vendors Palo Alto Networks and Sourcefire debated the merits of their approaches to unified security live on stage at NetEvents in Barcelona today.

The spirited debate, moderated by Rick Moy, CEO of security testing company NSS Labs, saw two fundamentally different approaches to securing the enterprise datacentre with next-generation firewalls compared.

Nir Zuk, CTO of Palo Alto, and Jason Brevnik, VP security strategy at Sourcefire stood at opposite sides of the stage as Moy opened the discussion. He described the threat landscape as having changed over the last four years.

Introducing the debate, Moy said that, previously, attacks originated predominantly from external hackers to today's client-side threats. The main attack vectors now include Twitter and Facebook, he said. The problem is that enterprise security systems generally assume that any response to a request from inside the organisation, such a link clicked in a Facebook page, is safe. Instead, said Moy, systems now need to parse incoming traffic.

Zuk and Brevnik compared their differing approaches to security. Zuk said that, in the event for example of a user plugging in a USB stick containing malware, his company's next-generation firewall would not let a machine on the network, unless it was running the right security agent. Brevnik said: "You can't scan for everything."

Zuk said: "You're being too PC-centric. You need 10 gigabit per second wirespeed protection. My product can do that and doesn't slow down."

Brevnik questioned whether a full 10 gigabit per second was always needed. He said that people do cost-benefit analyses on whether they need full wirespeed. Moy said that real world testing by NSS Labs shows that products often run at about 50 percent of rated throughput.

Brevnik said that next generation firewalls collapse numerous existing security functions into a single box. He said: "Will a next-generation firewall be deployed in the core? It's more likely you'll want deep packet inspection and intrusion protection in the datacentre."

Another point of contention concerned speed of deployment of next generation firewalls. Zuk said: "Our customers are saving 60 percent on opex [operational expenditure] of their network security budget over three years by switching to our next-generation firewall. It needs fewer people to manage it. But that's not enough - and is why UTM [unified threat management] is not successful.

Brevnik said: "It will take a long time for wholesale change to occur. Enterprises don't just rip and replace. Change is slow because people are used to doing what they do."

This blog has moved

You'll now find my postings here. Hope to see you there.

Does Google Street View really invade your privacy?

It’s been interesting watching the reaction to Google’s new Street View. Privacy’s the big issue -- and I’m as concerned as anyone about the UK government’s plans to introduce ID cards, wrap the UK in CCTV coverage and generally ensure that every move you make is stored in a database somewhere. This is an issue I’ll return to in future posts.

But back to Google Street View -- and I think some people are over-reacting, or at least not thinking through the consequences of their positions.

There was Jeremy Paxman on NewsNight the other night grilling the company’s UK CEO about privacy, and I’ve read dozens of items from individuals complaining about the same issues Paxman raised. These include worries about why Google can legally take pics of their house and publish them on the web without anyone’s say so.

Well guess what? Anyone’s been able to do that since whenever. You can photograph anything and reproduce it as long as it’s not copyrighted. People are another matter of course.

Photographers have it tough right now, with the police seemingly under orders on the pretext of preventing terrorism to pounce on people taking photos with anything other than a point-and-shoot camera. I’ve read plenty of anecdotes about amateurs as well as professionals with SLRs (and sometimes tripods) being questioned about their motives. Have we really become that scared?

What we don’t need is campaigners bellowing that Google is somehow invading their privacy followed by lies from the Daily Mail sparking a whole new round of legislation as a result.

Pics of houses are surely OK as long as the house in question isn’t identified with an individual. One person has argued that Street View delivers an image of their car with legible number plates outside their house - which I’d agree is a bit annoying, although even then, you can’t assume that a nice car belongs to a particular house. And Google does promise (and I’ve no idea if it has or how quickly it has) to remove/blur images where appropriate.

Let’s have a serious think about what’s really private before we go making life even more hell for photographers and others whose ability to capture images is already being constrained. No-one’s complained about their activities before...