Re: Firewall administration and thoughts cont.

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Anton J Aylward, sie wrote
[...]
> The GUI is there to pay homage to the myth that GUIs are "user friendly'.
> They may be 'friendly' from the point of view of the marketeer WRT
> uninformed management.   They are not friendly to me.   They are not
> friendly to some technically aware managers I do deal with ("why won't it
> let me see.....?")   In particular they hide important information.

Compare FW-1's GUI with attempting to read the Inspect language.  IMHO,
the inspect language is full of fluff (you shoudn't be setting colors
for icons in your firewall config!).

> I've recently battled with a firewall which has no alternative to the GUI.

Poorly designed product.

[...]
>       When the computer knows more about what's going on, use a MENU.
>       When the user knows more about what's going on use a COMMAND LINE.

> This is 'firewall-wizards'.   Not 'firewall-for-idiots' (although there is
> probably a book of that title by now).  If the menu can offer me a "do 90%
> of the work for policy #27 out of the selection" them give me a command line
> to do the extra bits, fine, I'll take the GUI.   I see this approach in the
> AUDIT tools from companies like AXENT (which I strongly recommend!!)
> I hope to see it in firewall configurators.   

Which actual products are these ?  Last time I looked at them, Tripwire
was still far superior (Axent was still using checksums vs. a plethora
of non-trivial hashes in Tripwire).  They were also slow to use and
awkward if you had a large number of changes to make.  That and getting
shipped a CD-ROM with a `core' file and gdb didn't exactly do a lot for
my confidence in it (ESM).  Maybe they're a bit better now ?

Then there are the standard doubts about it (ESM) with their proprietary
`scrambling' between master and agents (i.e. not 3-DES, etc).