Re: Firewall administration.

[Anton J Aylward <anton () toronto com>]

At 04:59 AM 30/09/97 -0700, you wrote:
## Reply Start ##
> > [...] firewall experts are costly (if they even want to work permanently!)
> > and training a person to the required level is also going to be quite
costly.
> > Thus relying on skilled people to configure them is to nobody's advantage so
> > the presence of user-friendly interfaces becomes a must. [...]
>
>
> I think _That_ misconception is gonna be hard to run down; I don't even
have a
> clear idea who is guilty of promulgating it.

Right.  There seems to be a trend to GUI things whether they need it or not.
My office photocopier now has a GUI.  Next I expect my toaster and microwave
will.  Why?  Blame Bill Gates I suppose

> I've only administered a few different firewalls, though I've looked at the
> support docs for a couple more, and so far I've yet to see one that's
anywhere
> near as hard to configure as your typical Windows app. 

There is something deep here, but I'm too confused by trying to navigate
all these GUIs, when I KNOW what I want and could enter the command
line directly, but the damn GUI won't let me.....

> GUIs aren't a must; simplicity is a must. When you have a box that's simple
> enough to possibly be a good firewall, you don't need or want a GUI.

Right.

> The _hard_ part --- which a GUI won't help --- is providing technical
> assistance in the process of developing the company security policy; this
> includes educating management about risks and choices in protocols and
> internet services. Once that policy is done, the firewall config and admin is
> a piece o' cake by comparison.

Whats the acronym, like ROTFL, for enthusiasm.
I'm bouncing up and down in my chair agreeing with you.
You've said that well.
PLEASE can I quote you everywhere I go.
You've really summed this up well.

Oh, what about the pointy-haired managers?  You know, the
ones in the Dilbert cartoons?   Do I have to educate them as well?


> > I think the presence of an easily usable GUI is a *must* for any serious
> > commercial firewall.
>
> I think the presence of an elaborate GUI is a warning flag; the vendor has
> added complexity to try to help people who aren't competant to configure the
> system. That's bad for security twice. I don't want to be buying products
from
> a complany that adds complexity (== room for bugs) to a product to help allow
> people who don't know enough to do the job right to give the appearance of
> doing the job.

You know that, I know that, but the manager says "Oh, I can understand that".
No he can't, he can only understand the GUI.  As you say, if he understood
what
a firewall was about this would be a warning flag.  "Hi, we think you're a
bunch of incompetents and we won't let you at the real controls".

> What's the difference between a router and a firewall? Well, the difference
> isn't visible to the kind of clueless putz who wants a GUI.
>
> > [...] But that doesn't justify the reviewers using the GUI as the #1 index.
>
> Now _That_ I do find useful; with them rating firewalls by GUI, you can at
> least invert their results and get a good first approximation to a reasonable
> evaluation.

Once again I have to thank you for a brilliant observation which I've missed.

> But they don't have any good role I can see on a firewall. But then, I'm
not a
> burglar. If I were, I'd certainly encourage people to go with GUIs to let
them
> use untrained people to set up their ``firewall''.

I thought we shouldn't talk about money making schemes here.
MJR's scheme of selling FW companies short before finding flaws was
bad enough.  You have an evil mind.   In this business you're only
required to be paranoid.

/anton - smileys omitted for clarity

## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward                  | Nothing is more difficult to carry out, 
The Strahn & Strachan Group Inc  | nor more doubtful of success, nor more 
Information Security Consultants | dangerous to handle, than to initiate a 
Voice: (416) 494-8661            | new order of things."   ---- Machiavelli
  Fax: (416) 494-8803            |