Content Filtering

Following up on my NetworkWorld column (link), I want to dispel the notion that changing equipment is easy. Well, it actually can be easy, but we'll get to that. The word of the week is still evolution, not revolution. Whether you are talking about a LAN switch, a gateway firewall, content filtering, IDS/IPS, pretty much anything - your switching costs are DIRECTLY correlated to the number of policies you've deployed on the box.

Let's use a very simple example to illuminate my point. You see, I could go down to Best Buy and get another wireless AP (I've actually been eying a new MIMO model), and within 10 minutes I'd have it installed and ready to go in my home network. Yes, it's that easy - why? Because I don't do anything fancy. No specific policies. No special applications that I need to manually configure. No nothing. For the most part, I do out of the box stuff. So there is no switching cost. Without policies migration is easy. But that's not most people.

Most enterprises spend years getting their content filtering rules (or anti-spam defenses) tuned enough to block the bad stuff and let through the good. There are usually hundreds of custom firewall rules implemented for a sophisticated user. Rules that makes the firewall do it's job, without impact the availability of key applications. Reading a recent NWW article about the topic makes it very clear.

Sure it's cheaper in a lot of cases to buy a new box than to renew the existing firewall maintenance. But, it's a lot harder. Writing a check is easy, building all of those policies again on new hardware is hard. Which one do you think wins, pretty much every time? 

One of the things that did make me scratch my head in the article was the frustration that vendors have not introduced migration tools. I hadn't really thought of that too much, but as markets mature and aggressive upstarts (or bigger companies trying to gain market share) look to steal share, these kinds of migration tools become invaluable. Remember Microsoft was able to read in the Novell Directory (this was before LDAP made these tools obsolete)? It was pretty much game over soon after that. It made a huge difference to customers to ease the pain of moving to a new environment.

I can tell you when I was in the anti-spam business that we routinely ran into customers that were married to their ClearSwift (formerly MIMEsweeper) content filtering products. Sure the company was like the walking dead, the product didn't keep pace and they didn't know much about spam, but their customers had built hundreds of policies into the devices and they didn't want to have to start all over again. I don't recall ever having a discussion about building a little widget to suck ClearSwift rules into the box. That doesn't mean it didn't happen, but I wasn't involved. Maybe we should have.

Now giving the topic some thought, I think it's working out the way it's supposed to. We are benefiting because most of the vendor were just too lazy to build these tools. For security, I believe migration tools are bad. Huh? Didn't I read the article? It took one company a year to migrate all of their rules to protect their 3500 users. First, they are doing something wrong. It shouldn't take that long.

Second, your security rules are kind of like your closet. If you don't go in and throw stuff out every couple of months, it becomes a mess.

When outdated rules are kept in place, you create security exposures. A port that was opened for a two month application initiative needs to be closed with the project is done. If you just blindly pulled your firewall (or IDS or content filtering) policies into the new box, you wouldn't have the discipline to go and prune what needed to be pruned. If you go back in and check those devices, I think you'd be surprised at what policies are still in place.

So it's a pain in the ass, but going through your rule set is worth the effort. And let's be very clear that the more time you spend configuring policies, the more entrenched your security vendor becomes.