Firewall Wizards mailing list archives
Re: Firewall administration.
From: Rick Smith <rsmith () visi com>
Date: Tue, 7 Oct 1997 21:15:12 -0500
I wrote:
So, in my opinion, the basic technical security problem is one of cognitive modeling.
Anton replied:
Isn't that another way of saying that unless you understand what the firewall is doing (what is going on _behind_ the GUI) the GUI is a con job.
Actually, I mean something a bit different. We need to assume that users *won't* have a good understanding of what they're doing. So the GUI needs to present choices that clearly relate to what the customers need to control, and "under the hood" perform the necessary connections and restrictions for them. A trivial example would be to give customers the ability to manipulate "services" instead of "port numbers." Also, keep in mind that I'm speaking from the point of view of someone who wants to get as many people as possible using firewalls correctly, even if they're not experts in networking or security. Commenting further:
You don't need a GUI to do this. However, a GUI can present the installer with a controlled set of options to choose, and in so doing, will convince the installer that all appropriate steps have been taken.Bletch! Sorry to be rude, but I've met ones which do just the opposite.
I fully understand. I didn't intend to imply that GUI = Good Interface. I believe there's a better chance of giving customers something with a GUI that's clear and that gives confidence.
There is a simple rule, I heard from Tom Duff, but may precede him If you know more about what's going on than the computer, use a command line interface If the computer knows more about what's going on, let it present you with a menu.
That's essentially what I'm saying. I believe that "typical" firewall customers won't know more about it than the vendor does.
But more to the point, a GUI system which has no escape is EVIL.
This gets into vendor product objectives. Some products are intended to be tailored to a huge number of configurations, others are not. Those selected and configured by experts don't need a hold-your-hand GUI. On the other hand, some customers won't go near a product if there's a risk that they'll land in a command line prompt.
... like for example one client of mine who had their firewall sold to them and installed by a large international IT consulting group. After it was up they refused to hand over any of the vendor's documentation, their own design notes or whatever, claiming that letting the IT managers (who are pretty savvy, not at all dilbert-esque) know how it was set up would compromise security.
I wonder if this is something that is (or should be) covered by these alleged codes of ethics promoted by all of these computer security associations we have springing up like mushrooms. IMHO the purpose of a security consultant is to tell you what your risks are and help you balance them against your business objectives. You can't do that unless you give the client control over their own security. Rick. rsmith () visi com "Internet Cryptography" in bookstores http://www.visi.com/crypto/
Current thread:
- Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 06)
- Re: Firewall administration. Adam Shostack (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Marcus J. Ranum (Oct 07)
- Re: Small company question was Re: Firewall administration. Mark Teicher (Oct 09)