gwionwild colonial boyPremium,ExMod 2001-08
reply to madirish
Tiny was a fantastic piece of work. It's a little involved, both functionally and conceptually, for a lot of users, but I've thought, from the very beginning, that it was a best of breed and one of a kind product. Secure4u, acquired by Tiny just after the Kerio spinoff, was the one single stable iteration of a "true" system wide sandbox app. Tiny, by that acquisition, became the definitive behavior-blocker, and has never, yet, been matched in that regard.
The grand thing about Tiny is that it's not just a firewall, it's the best design for an anti-trojan there is. Simply identify those behaviors which are suspicious and abnormal, and block them. No need to micro-analyze files every so often, update detection databases, just watch what they do and what they access, and, if that looks dicey, based on what an app normally does, stop the behavior and alert the user. There are certain things a non-system app just ought not be trying to access or do... isn't it better, frankly, to watch for those behaviors and block them, than to try and keep track of every piece of malware out there, one by one? Proactive response versus reactive response.
I lament the passing, if, indeed, it's a passing, of Tiny. We need to keep the idea alive, though. It's the future of firewalling, I think. Ultimately, operating systems might become self-defending, using concepts similar to Tiny/Secure4u's... but I doubt that will be any time soon. Until then, I think we need to support and promote the concepts. Simply, it's just the best way of proactively addressing the threats we haven't yet dealt with... reactive apps require somebody to get infected, discover the infection, and report the same... then, the app developers have to add a pattern match to a database, release a daily update, and, after a few thousand of us have already been compromised, release it... and hope we remember to download our update. Tiny-like apps might need regular updating, but only in so much as a new (previously thought harmless) behavior is linked with a new approach to hackin' an' crackin'.
Maybe (wishful thinking?) Tiny is returning to its roots? Remember, the original Tiny, now Kerio 2.x, was the packet filter element from Tiny's enterprise solution "CMDS" (centrally managed desktop security) system. It also served the classic NAT app, Winroute Pro, in the same capacity. CMDS, I remember saying in here, a few years back, was around the best and most articulately implemented enterprise firewall ever conceived. What happened to it? Well, the old versions were sold off to a (Chinese, I think?) firewalling developer... but the concept became Tiny Enterprise...
CMDS worked on a distributed responsibilities concept. The core was a dedicated security server at the corporate IT center. Each machine ran a packet filter, an ids, a sandbox, and so forth, but the user couldn't tamper with them, even if he was using a company laptop, at home. Simply, as soon as the machine accessed the VPN, the security server checked it out, compared it to the database, and, if anything in the firewall config didn't match the "last known good" config databased on the security server, it denied the computer access to the network, and rewrote the "correct" config back to it. It could also see the logs, and would be able to determine whether the remote machine had been compromised while improperly configured. Nice piece of work.
CA, I know, is now mostly concerned with enterprise solutions. I sincrely hope that, at least, they don't shoot this great idea behind the barn, but incorporate it into their own offerings. Hell, the only thing that honestly can be said in any negative sense about the CMDS concept is that it was just scratching the surface of the kind of security solutions we can be looking at ... of course, as we all know, too, security is often the seven-toed redheaded child of enterprise IT... but that's a new topic for another day... Tiny, it's good to 'ave known ya. Hope you inspire many new generation developers to pursue the road less travelled, towards excellence in concept and design...
I'll be there when you fall
The one condition of love ...
... is there are none at all.