Re: Firewall administration.

[Ted Doty <ted () iss net>]

At 06:14 AM 10/6/97 -0700, Bennett Todd wrote:
> On Mon, Oct 06, 1997 at 06:14:32AM -0400, Gary Crumrine wrote:

> > Not every entity doing business on the Internet has the need of, nor can
> > they afford, a full featured super wiz bang firewall, or the obligatory web
> > guru it is going to take to configure it.
>
> Ouch ouch ouch. Many ouches. The fullest-featured wiz bang firewall I know of
> costs <<$1,000 USD for an old throwaway PC clone, plus $0 for
Linux+ipfw+fwtk.
> And I don't see where a web guru gets involved at all; what's needed is
> someone who can read basic literature (e.g. Cheswick and Bellovin) to get the
> idea of what they need to accomplish, and put down a basic security policy to
> fit the organization, then read e.g. the Linux Firewall Howto for
> cookbook-style instructions on how to set the thing up.

What's left out here is the cost of the expertise (*nix administration,
fwtk administration, overall security cluefulness in general).  I'm
guessing that there are more than a couple readers of this list who make
fairly decent livings off this.  It's pretty clear that the (proper) setup
and administration of the firewall is several times more expensive than the
firewall itself.

Putting down a "basic security policy to fit the organization" is often a
non-trivial task: things like relating threats and vulnerabilities to the
value of specific data, in tangible (value of accounts receivable database)
and intangible (liability due to exposure of records from personnel
database) are *hard*.


- Ted

----------------------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://eng.iss.net/~tdoty
----------------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE