Firewall Wizards mailing list archives
RE: Firewall administration.
From: Gary Crumrine <gcrum () us-state gov>
Date: Mon, 6 Oct 1997 06:14:32 -0400
This gui debate is all well and good. We know it isn't the answer to all of our prayers, but if it provides increased threat management, then I'd say let em run with it. It is better than nothing. Not every entity doing business on the Internet has the need of, nor can they afford, a full featured super wiz bang firewall, or the obligatory web guru it is going to take to configure it. It is a question of scale. The big firewall houses are marketing their wares towards a small percentage of customers, when compared to the vast smaller market that exists that cannot afford them. Companies that produce products that are watered down versions or better yet, full featured at lower, more realistic prices are going to find the field ripe for the picking. You are already seeing this trend gaining momentum. JMHO On Friday, October 03, 1997 1:21 PM, Rick Smith [SMTP:rsmith () visi com] wrote: | I don't think the problem is so much one of GUI versus | non-GUI, I think it | runs deeper. People will follow the minimum number of | instructions to get | things going, but once they're done they want to feel | confident that | they've done the job completely and correctly. | | This "feeling" is an important part of security. Customers | aren't | completely satisfied without it. | | Unfortunately, a cleverly designed GUI will give you that | feeling of | confidence without actually implementing all the | protections you might have | wanted or intended. | | So, in my opinion, the basic technical security problem is | one of cognitive | modeling. A good administrative interface gives the | installer a clear | representation of the protection *objectives* he wants to | achieve and helps | him set up the firewall in terms of those objectives. Only | techno-geeks | care about ports and packet state bits. The administrators | care about | controlling traffic direction and type of service, or | perhaps even higher | level things. So a good interface lets the administrators | set up the | firewall in terms of interesting goals. | | You don't need a GUI to do this. However, a GUI can | present the installer | with a controlled set of options to choose, and in so | doing, will convince | the installer that all appropriate steps have been taken. | A command line | interface requires the installer to choose commands | individually from a | potentially huge set. How is the installer going to know | that he has | executed every command he should have? This gets back to | confidence. The | installer is going to need a certain amount of knowledge | and training in | order to report to his boss that everything is set up | correctly, unless the | administrative interface gives him confidence that this is | true. And | security training is more often desired than acquired. | | Rick. | smith () securecomputing com | rsmith () visi com | "Internet Cryptography" in bookstores | http://www.visi.com/crypto/ |
Current thread:
- Re: Firewall administration., (continued)
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)
- Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)
- Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)