One of the funnest parts about having a job in a industry you know nothing about is that you can ask really basic questions. Those questions allow you to build mental models that you can then use to learn about an industry and perhaps if you are extraordinarily lucky and pick the right time and place make an impact on an industry.
What follows are really basic insights, nothing profound here…
When I looked at Firewalls, the networking part of the firewall was very mysterious. Most of the value was in security, but a lot of the hard-back-breaking work was in integration with the network. Especially at scale the network integration was extraordinarily important.
At first I thought it was about protocols. And there is some truth to that but a lot less than we all think. The need to integrate in line with thousands of protocols is absolutely a challenge and a barrier to entry but not the real source of the challenge.
Maybe a different way to express my comment is that the protocol integration challenge is a signal that there is something going on there that is causing complexity, protocol integration is a symptom not the cause.
And my latest way to express the problem is the following:
If you imagine an IP network it’s a flood of packets like raindrops falling from the sky. And at every hop, decisions are made on a per-packet basis.
But security can not be implemented on a per-packet basis. You have to look at a large number of variable packets. The more complex the security system, the more packets that need to be looked at.
The challenge with firewalls is that you need to turn the flood of packets from millions of Alice’s, into little streams of packets that you can then inspect and once done inspecting flip that stream around into packets that the millions of Bob’s are expecting and send them out. Later on you have to be able to get packets from a specific Bob and correlate that packet with packets you received from a specific Alice talking to that specific Bob , turn Bob’s packets into a stream, inspect the packets and send the packets back out to the right Alice.
And – oh by the way – Alice and Bob must never know that you did that because the protocols may not allow that.
I have this image of water drops coming in one end, you enter the firewall and they turn into streams, and then they leave the firewall as raindrops the other side. And this image is remarkably resilient to explaining many things about how firewalls work and why some things in firewalls are easy and somethings are very hard.
And the nice thing about this model is that it explains why protocol processing is so crucial … without the ability to process a protocol it’s impossible to make the rain drop to stream to rain drop transformation correctly and because you are looking at all of the rain drops trying to find a bad guy, protocol completeness is crucial – skip a protocol and that is the door way for the bad guys.