Re: Firewall administration.

[Anton J Aylward <anton () toronto com>]

At 11:21 AM 03/10/97 -0600, Rick Smith wrote:
## Reply Start ##

> Unfortunately, a cleverly designed GUI will give you that feeling of
> confidence without actually implementing all the protections you might have
> wanted or intended.

So, true.  So tragic.

> So, in my opinion, the basic technical security problem is one of cognitive
> modeling. 

Isn't that another way of saying that unless you understand what 
the firewall is doing (what is going on _behind_ the GUI) the GUI 
is a con job.   Rather like Bennett said about process control systems.
They work because the operator has a very good cognitive model of the
machinery/process that the computer is controlling.  Or in a car, 
or plane, where the operator has controls that look just like what 
he's used to even when the computer (GUI) isn't there.

> A good administrative interface gives the installer a clear
> representation of the protection *objectives* he wants to achieve and helps
> him set up the firewall in terms of those objectives. 

Right.
And the best such interface I know is a clean piece of paper on 
a desk well away from any keyboards and screens.   Think first, 
get a good written statement of policy, signed off by all concerned.
You know the rest.   This is even more valuable than a firewall.
It allows you to get the budget to buy a firewall that will do
the job!  It gives you a metric to measure against.   It gives
you authority and authorization.   Forget the techno-gek stuff,
this is about MANAGING resources and expectations.


> You don't need a GUI to do this. However, a GUI can present the installer
> with a controlled set of options to choose, and in so doing, will convince
> the installer that all appropriate steps have been taken. 

Bletch!
Sorry to be rude, but I've met ones which do just the opposite.
I've recently been discussing with a member of this list how to
phase it out.  It has no alternative to the GUI.  We know its not
doing some things we expect, but we can't tell anything - and hence
the GUI destroys our confidence.   The absence  of good examples
in the manual and the vendor's web page just aggravate this.

> A command line
> interface requires the installer to choose commands individually from a
> potentially huge set. 

Its not as simple as that.
There is a simple rule, I heard from Tom Duff, but may precede him

   If you know more about what's going on than the computer, use a
        command line interface

   If the computer knows more about what's going on, let it present
        you with a menu.

But more to the point, a GUI system which has no escape is EVIL.
It like the line in Rocky Horror, repeated by so many vendors
and practitioners:

        Trust me, I'm a doctor
                (and hence know better than you what's good for you)

... like for example one client of mine who had their firewall
sold to them and installed by a large international IT consulting 
group.   After it was up they refused to hand over any of the 
vendor's documentation, their own design notes or whatever,
claiming that letting the IT managers (who are pretty savvy, not
at all dilbert-esque) know how it was set up would compromise security.

/anton

## Reply End ##