Firewall Wizards mailing list archives
Re: Firewall administration.
From: Bennett Todd <bet () rahul net>
Date: Mon, 6 Oct 1997 06:14:17 -0700
On Mon, Oct 06, 1997 at 06:14:32AM -0400, Gary Crumrine wrote:
This gui debate is all well and good.
Actually, I think it's the most interesting Firewalls-related topic I've heard lately. Mjr has disposed of the topic of slinging nasty, unfounded rumours about backdoors in products you don't like ("If there were a hole in XXX, the person who found it could short XXX, then reveal the hole, then retire wealthy"). For the major players, that leaves as-yet-undiscovered bugs, new features, and strengths -vs- weaknesses. The issue of strengths and weaknesses in what kinds of policies can be implemented is pretty well-understood. What hasn't been well examined is how the configuration user interface encourages or discourages setting up the firewall incorrectly, allowing your systems to be burgled. And that's a pretty meaty topic.
Not every entity doing business on the Internet has the need of, nor can they afford, a full featured super wiz bang firewall, or the obligatory web guru it is going to take to configure it.
Ouch ouch ouch. Many ouches. The fullest-featured wiz bang firewall I know of costs <<$1,000 USD for an old throwaway PC clone, plus $0 for Linux+ipfw+fwtk. And I don't see where a web guru gets involved at all; what's needed is someone who can read basic literature (e.g. Cheswick and Bellovin) to get the idea of what they need to accomplish, and put down a basic security policy to fit the organization, then read e.g. the Linux Firewall Howto for cookbook-style instructions on how to set the thing up.
It is a question of scale. The big firewall houses are marketing their wares towards a small percentage of customers, when compared to the vast smaller market that exists that cannot afford them.
I think you have it backwards; the big firewall houses are divided into two categories; there are the old guard, selling proxy-based firewalls, who are selling to big companies who want the assurance they get from starting with a mature, well-tested system set up by experts and configured with their help to match the local security policy. The recent deluge of new brands are trying to market to people who have heard that a ``firewall'' is a good thing, and don't know how to shop for security, and so are shopping for convenience instead.
Companies that produce products that are watered down versions or better yet, full featured at lower, more realistic prices are going to find the field ripe for the picking.
The fullest-featured firewall out there, with the most flexibility in accomodating policies from the least to the most strict, is free. The companies that are producing watered-down versions --- or boxes that try to add convience so you don't need to understand security to configure them --- aren't doing any service at all, to anyone except themselves:-(. -Bennett
Current thread:
- Re: Firewall administration and thoughts cont., (continued)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)
- Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)
- Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)