Re: Firewall administration.

[Bennett Todd <bet () rahul net>]

On Mon, Oct 06, 1997 at 06:14:32AM -0400, Gary Crumrine wrote:
> This gui debate is all well and good. 

Actually, I think it's the most interesting Firewalls-related topic I've heard
lately. Mjr has disposed of the topic of slinging nasty, unfounded rumours
about backdoors in products you don't like ("If there were a hole in XXX, the
person who found it could short XXX, then reveal the hole, then retire
wealthy"). For the major players, that leaves as-yet-undiscovered bugs, new
features, and strengths -vs- weaknesses. The issue of strengths and weaknesses
in what kinds of policies can be implemented is pretty well-understood. What
hasn't been well examined is how the configuration user interface encourages
or discourages setting up the firewall incorrectly, allowing your systems to
be burgled. And that's a pretty meaty topic.

> Not every entity doing business on the Internet has the need of, nor can
> they afford, a full featured super wiz bang firewall, or the obligatory web
> guru it is going to take to configure it.

Ouch ouch ouch. Many ouches. The fullest-featured wiz bang firewall I know of
costs <<$1,000 USD for an old throwaway PC clone, plus $0 for Linux+ipfw+fwtk.
And I don't see where a web guru gets involved at all; what's needed is
someone who can read basic literature (e.g. Cheswick and Bellovin) to get the
idea of what they need to accomplish, and put down a basic security policy to
fit the organization, then read e.g. the Linux Firewall Howto for
cookbook-style instructions on how to set the thing up.

> It is a question of scale. The big firewall houses are marketing their wares
> towards a small percentage of customers, when compared to the vast smaller
> market that exists that cannot afford them.

I think you have it backwards; the big firewall houses are divided into two
categories; there are the old guard, selling proxy-based firewalls, who are
selling to big companies who want the assurance they get from starting with a
mature, well-tested system set up by experts and configured with their help to
match the local security policy. The recent deluge of new brands are trying to
market to people who have heard that a ``firewall'' is a good thing, and don't
know how to shop for security, and so are shopping for convenience instead.

> Companies that produce products that are watered down versions or better
> yet, full featured at lower, more realistic prices are going to find the
> field ripe for the picking.

The fullest-featured firewall out there, with the most flexibility in
accomodating policies from the least to the most strict, is free. The
companies that are producing watered-down versions --- or boxes that try to
add convience so you don't need to understand security to configure them ---
aren't doing any service at all, to anyone except themselves:-(.

-Bennett