Re: Firewall administration.

[Rick Smith <rsmith () visi com>]

I wrote:

> > So, in my opinion, the basic technical security problem is one of cognitive
> > modeling.

Anton replied:

> Isn't that another way of saying that unless you understand what
> the firewall is doing (what is going on _behind_ the GUI) the GUI
> is a con job.

Actually, I mean something a bit different. We need to assume that users
*won't* have a good understanding of what they're doing. So the GUI needs
to present choices that clearly relate to what the customers need to
control, and "under the hood" perform the necessary connections and
restrictions for them. A trivial example would be to give customers the
ability to manipulate "services" instead of "port numbers."

Also, keep in mind that I'm speaking from the point of view of someone who
wants to get as many people as possible using firewalls correctly, even if
they're not experts in networking or security.

Commenting further:

> > You don't need a GUI to do this. However, a GUI can present the installer
> > with a controlled set of options to choose, and in so doing, will convince
> > the installer that all appropriate steps have been taken.
>
> Bletch!
> Sorry to be rude, but I've met ones which do just the opposite.

I fully understand. I didn't intend to imply that GUI = Good Interface. I
believe there's a better chance of giving customers something with a GUI
that's clear and that gives confidence.

> There is a simple rule, I heard from Tom Duff, but may precede him
>
>   If you know more about what's going on than the computer, use a
>       command line interface
>
>   If the computer knows more about what's going on, let it present
>       you with a menu.

That's essentially what I'm saying. I believe that "typical" firewall
customers won't know more about it than the vendor does.

> But more to the point, a GUI system which has no escape is EVIL.

This gets into vendor product objectives. Some products are intended to be
tailored to a huge number of configurations, others are not. Those selected
and configured by experts don't need a hold-your-hand GUI. On the other
hand, some customers won't go near a product if there's a risk that they'll
land in a command line prompt.

> ... like for example one client of mine who had their firewall
> sold to them and installed by a large international IT consulting
> group.   After it was up they refused to hand over any of the
> vendor's documentation, their own design notes or whatever,
> claiming that letting the IT managers (who are pretty savvy, not
> at all dilbert-esque) know how it was set up would compromise security.

I wonder if this is something that is (or should be) covered by these
alleged codes of ethics promoted by all of these computer security
associations we have springing up like mushrooms.

IMHO the purpose of a security consultant is to tell you what your risks
are and help you balance them against your business objectives. You can't
do that unless you give the client control over their own security.

Rick.                        rsmith () visi com
"Internet Cryptography" in bookstores   http://www.visi.com/crypto/