Firewall Wizards mailing list archives
Re: Firewall administration.
From: Bennett Todd <bet () rahul net>
Date: Tue, 7 Oct 1997 06:18:28 -0700
Ted Doty wrote:
Bennett Todd wrote:Gary Crumrine wrote:Not every entity doing business on the Internet has the need of, nor can they afford, a full featured super wiz bang firewall, or the obligatory [...] guru it is going to take to configure it.The fullest-featured wiz bang firewall I know of costs <<$1,000 USD for an old throwaway PC clone, plus $0 for Linux+ipfw+fwtk. [...] what's needed is someone who can read basic literature (e.g. Cheswick and Bellovin) to get the idea of what they need to accomplish, and put down a basic security policy to fit the organization, then read e.g. the Linux Firewall Howto for cookbook-style instructions on how to set the thing up.What's left out here is the cost of the expertise (*nix administration, fwtk administration, overall security cluefulness in general).
Basic system and network admin are gonna be needed to set up and maintain their internet connection, you can buy an order of security cluefulness to go (Cheswick&Bellovin), and fwtk admin has a Linux Documentation Project HOWTO out on it; it doesn't get easier than that.
I'm guessing that there are more than a couple readers of this list who make fairly decent livings off this.
I don't think we make fairly decent livings setting up firewalls for companies who are too small to be able to afford ... to give us a fairly decent living for setting up their firewall:-).
It's pretty clear that the (proper) setup and administration of the firewall is several times more expensive than the firewall itself.
Only if the policy is complex. Big complicated companies have complex internal organizations, with many different groups of people with different and incompatible security needs; this makes for complex security policies which require complex firewalls to implement --- to the degree, often nowhere near perfect, we can implement them at all. Your typical wee-teensy company will often, in my experience, have a truly trivial security policy that reflects the preferences of the only individual whose opinion matters, the boss.
Putting down a "basic security policy to fit the organization" is often a non-trivial task: [...]
So far my limited experience suggests it's hard to write the security policy at a huge, complex company that can well afford to pay me lots of bucks; the kinds of tiny organizations that blanch at the thought of budgeting >>$1000 for a firewall setup seem to have genuinely trivial security policies. I can typically coax most of the needed security policy out of them in a few minutes of Q&A, along the lines of - Does everybody get to browse the web? - Does anyone get to do ftp uploads? Telnets? - Does anyone need to do secure transactions (e.g. buying things over the internet)? Everyone? Can you have a short list of hosts to which that's permitted, and block it to everyone else (as long as that list is easy to update)? - Does anyone need to be able to get at active content (Java applets, Active-X, etc.)? Can you make up an easy-to-extend-on-request list of ``acceptable'' sites, and block applets from anywhere else? These folks have trivial security policies. And setting up and running a trivial firewall to enforce a simple security policy is not at all hard or time-consuming. -Bennett
Current thread:
- Re: firewall configurator Was: Firewall administration., (continued)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- RE: Firewall administration. Gary Crumrine (Oct 06)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)
- Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)
- Re: Small company question was Re: Firewall administration. Bennett Todd (Oct 10)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Larry J. Hughes Jr. (Oct 09)
- Re: Firewall administration. Ted Doty (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)