Re: Firewall administration.

[Bennett Todd <bet () rahul net>]

Ted Doty wrote:
> Bennett Todd wrote:
> > Gary Crumrine wrote:
> > > Not every entity doing business on the Internet has the need of, nor can
> > > they afford, a full featured super wiz bang firewall, or the obligatory
> > > [...] guru it is going to take to configure it.
> >
> > The fullest-featured wiz bang firewall I know of costs <<$1,000 USD for an
> > old throwaway PC clone, plus $0 for Linux+ipfw+fwtk. [...] what's needed
> > is someone who can read basic literature (e.g. Cheswick and Bellovin) to
> > get the idea of what they need to accomplish, and put down a basic security
> > policy to fit the organization, then read e.g. the Linux Firewall Howto for
> > cookbook-style instructions on how to set the thing up.
>
> What's left out here is the cost of the expertise (*nix administration,
> fwtk administration, overall security cluefulness in general).

Basic system and network admin are gonna be needed to set up and maintain
their internet connection, you can buy an order of security cluefulness to go
(Cheswick&Bellovin), and fwtk admin has a Linux Documentation Project HOWTO
out on it; it doesn't get easier than that.

> I'm guessing that there are more than a couple readers of this list who make
> fairly decent livings off this.

I don't think we make fairly decent livings setting up firewalls for companies
who are too small to be able to afford ... to give us a fairly decent living
for setting up their firewall:-).

> It's pretty clear that the (proper) setup and administration of the firewall
> is several times more expensive than the firewall itself.

Only if the policy is complex. Big complicated companies have complex internal
organizations, with many different groups of people with different and
incompatible security needs; this makes for complex security policies which
require complex firewalls to implement --- to the degree, often nowhere near
perfect, we can implement them at all.

Your typical wee-teensy company will often, in my experience, have a truly
trivial security policy that reflects the preferences of the only individual
whose opinion matters, the boss.

> Putting down a "basic security policy to fit the organization" is often a
> non-trivial task: [...]

So far my limited experience suggests it's hard to write the security policy
at a huge, complex company that can well afford to pay me lots of bucks; the
kinds of tiny organizations that blanch at the thought of budgeting >>$1000
for a firewall setup seem to have genuinely trivial security policies. I can
typically coax most of the needed security policy out of them in a few minutes
of Q&A, along the lines of

- Does everybody get to browse the web?

- Does anyone get to do ftp uploads? Telnets?

- Does anyone need to do secure transactions (e.g. buying things over the
  internet)? Everyone? Can you have a short list of hosts to which that's
  permitted, and block it to everyone else (as long as that list is easy to
  update)?

- Does anyone need to be able to get at active content (Java applets,
  Active-X, etc.)? Can you make up an easy-to-extend-on-request list of
  ``acceptable'' sites, and block applets from anywhere else?

These folks have trivial security policies. And setting up and running a
trivial firewall to enforce a simple security policy is not at all hard or
time-consuming.

-Bennett