|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Firewall administration.
Bennett Todd (bet
rahul.net)
Tue, 30 Sep 1997 04:59:11 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Previous message: Andreas Siegert: "RE: Penetration Tests"
- Maybe in reply to: Edward Cracknell: "Penetration Tests"
- Next in thread: Aleph One: "Re: firewalls and the incoming traffic problem"
>[...] firewall experts are costly (if they even want to work permanently!)
>and training a person to the required level is also going to be quite costly.
>Thus relying on skilled people to configure them is to nobody's advantage so
>the presence of user-friendly interfaces becomes a must. [...]
I think _That_ misconception is gonna be hard to run down; I don't even have a
clear idea who is guilty of promulgating it.
I've only administered a few different firewalls, though I've looked at the
support docs for a couple more, and so far I've yet to see one that's anywhere
near as hard to configure as your typical Windows app. GUIs don't enter in to
it, there just isn't all that much to do. Firewalls (at least decent ones) are
not complex systems, by design.
GUIs aren't a must; simplicity is a must. When you have a box that's simple
enough to possibly be a good firewall, you don't need or want a GUI.
The _hard_ part --- which a GUI won't help --- is providing technical
assistance in the process of developing the company security policy; this
includes educating management about risks and choices in protocols and
internet services. Once that policy is done, the firewall config and admin is
a piece o' cake by comparison.
> I think the presence of an easily usable GUI is a *must* for any serious
> commercial firewall.
I think the presence of an elaborate GUI is a warning flag; the vendor has
added complexity to try to help people who aren't competant to configure the
system. That's bad for security twice. I don't want to be buying products from
a complany that adds complexity (== room for bugs) to a product to help allow
people who don't know enough to do the job right to give the appearance of
doing the job.
What's the difference between a router and a firewall? Well, the difference
isn't visible to the kind of clueless putz who wants a GUI.
> [...] But that doesn't justify the reviewers using the GUI as the #1 index.
Now _That_ I do find useful; with them rating firewalls by GUI, you can at
least invert their results and get a good first approximation to a reasonable
evaluation.
Now GUIs aren't bad in all situations; they're sometimes marginally OK if you
have a basically non-computer-related job, like say painting or process
control, and you want to give the illusion that there's no computer here. And
they're just the ticket if you have a potentially curious and interested user
community, and you want to keep them dumb and powerless and ignorant by
throwing an impenetrable barrier of complexity between them and their machine.
But they don't have any good role I can see on a firewall. But then, I'm not a
burglar. If I were, I'd certainly encourage people to go with GUIs to let them
use untrained people to set up their ``firewall''.
-Bennett
- Previous message: Andreas Siegert: "RE: Penetration Tests"
- Maybe in reply to: Edward Cracknell: "Penetration Tests"
- Next in thread: Aleph One: "Re: firewalls and the incoming traffic problem"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:59 CDT