Firewall Wizards mailing list archives
Re: Firewall administration.
From: Anton J Aylward <anton () toronto com>
Date: Fri, 03 Oct 1997 22:44:21 -0400
At 11:21 AM 03/10/97 -0600, Rick Smith wrote: ## Reply Start ##
Unfortunately, a cleverly designed GUI will give you that feeling of confidence without actually implementing all the protections you might have wanted or intended.
So, true. So tragic.
So, in my opinion, the basic technical security problem is one of cognitive modeling.
Isn't that another way of saying that unless you understand what the firewall is doing (what is going on _behind_ the GUI) the GUI is a con job. Rather like Bennett said about process control systems. They work because the operator has a very good cognitive model of the machinery/process that the computer is controlling. Or in a car, or plane, where the operator has controls that look just like what he's used to even when the computer (GUI) isn't there.
A good administrative interface gives the installer a clear representation of the protection *objectives* he wants to achieve and helps him set up the firewall in terms of those objectives.
Right. And the best such interface I know is a clean piece of paper on a desk well away from any keyboards and screens. Think first, get a good written statement of policy, signed off by all concerned. You know the rest. This is even more valuable than a firewall. It allows you to get the budget to buy a firewall that will do the job! It gives you a metric to measure against. It gives you authority and authorization. Forget the techno-gek stuff, this is about MANAGING resources and expectations.
You don't need a GUI to do this. However, a GUI can present the installer with a controlled set of options to choose, and in so doing, will convince the installer that all appropriate steps have been taken.
Bletch! Sorry to be rude, but I've met ones which do just the opposite. I've recently been discussing with a member of this list how to phase it out. It has no alternative to the GUI. We know its not doing some things we expect, but we can't tell anything - and hence the GUI destroys our confidence. The absence of good examples in the manual and the vendor's web page just aggravate this.
A command line interface requires the installer to choose commands individually from a potentially huge set.
Its not as simple as that. There is a simple rule, I heard from Tom Duff, but may precede him If you know more about what's going on than the computer, use a command line interface If the computer knows more about what's going on, let it present you with a menu. But more to the point, a GUI system which has no escape is EVIL. It like the line in Rocky Horror, repeated by so many vendors and practitioners: Trust me, I'm a doctor (and hence know better than you what's good for you) ... like for example one client of mine who had their firewall sold to them and installed by a large international IT consulting group. After it was up they refused to hand over any of the vendor's documentation, their own design notes or whatever, claiming that letting the IT managers (who are pretty savvy, not at all dilbert-esque) know how it was set up would compromise security. /anton ## Reply End ##
Current thread:
- Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)