RE: Firewall administration.

[Gary Crumrine <gcrum () us-state gov>]

This gui debate is all well and good.  We know it isn't the 
answer to all of our prayers, but if it provides increased 
threat management, then I'd say let em run with it.  It is 
better than nothing.  Not every entity doing business on 
the Internet has the need of, nor can they afford, a full 
featured super wiz bang firewall, or the obligatory web 
guru it is going to take to configure it.   It is a 
question of scale.  The big firewall houses are marketing 
their wares towards a small percentage of customers, when 
compared to the vast smaller market that exists that cannot 
afford them.  Companies that produce products that are 
watered down versions or better yet, full featured at 
lower, more realistic prices are going to find the field 
ripe for the picking.  You are already seeing this trend 
gaining momentum.
JMHO

On Friday, October 03, 1997 1:21 PM, Rick Smith 
[SMTP:rsmith () visi com] wrote:
| I don't think the problem is so much one of GUI versus
| non-GUI, I think it
| runs deeper. People will follow the minimum number of
| instructions to get
| things going, but once they're done they want to feel
| confident that
| they've done the job completely and correctly.
|
| This "feeling" is an important part of security. 
Customers
| aren't
| completely satisfied without it.
|
| Unfortunately, a cleverly designed GUI will give you that
| feeling of
| confidence without actually implementing all the
| protections you might have
| wanted or intended.
|
| So, in my opinion, the basic technical security problem 
is
| one of cognitive
| modeling. A good administrative interface gives the
| installer a clear
| representation of the protection *objectives* he wants to
| achieve and helps
| him set up the firewall in terms of those objectives. 
Only
| techno-geeks
| care about ports and packet state bits. The 
administrators
| care about
| controlling traffic direction and type of service, or
| perhaps even higher
| level things. So a good interface lets the administrators
| set up the
| firewall in terms of interesting goals.
|
| You don't need a GUI to do this. However, a GUI can
| present the installer
| with a controlled set of options to choose, and in so
| doing, will convince
| the installer that all appropriate steps have been taken.
| A command line
| interface requires the installer to choose commands
| individually from a
| potentially huge set. How is the installer going to know
| that he has
| executed every command he should have? This gets back to
| confidence. The
| installer is going to need a certain amount of knowledge
| and training in
| order to report to his boss that everything is set up
| correctly, unless the
| administrative interface gives him confidence that this 
is
| true. And
| security training is more often desired than acquired.
|
| Rick.
| smith () securecomputing com
|                         rsmith () visi com
| "Internet Cryptography" in bookstores
| http://www.visi.com/crypto/
|