Firewall Wizards mailing list archives
Re: Firewall administration.
From: Anton J Aylward <anton () toronto com>
Date: Wed, 01 Oct 1997 17:18:34 -0400
At 04:59 AM 30/09/97 -0700, you wrote: ## Reply Start ##
[...] firewall experts are costly (if they even want to work permanently!) and training a person to the required level is also going to be quite
costly.
Thus relying on skilled people to configure them is to nobody's advantage so the presence of user-friendly interfaces becomes a must. [...]I think _That_ misconception is gonna be hard to run down; I don't even
have a
clear idea who is guilty of promulgating it.
Right. There seems to be a trend to GUI things whether they need it or not. My office photocopier now has a GUI. Next I expect my toaster and microwave will. Why? Blame Bill Gates I suppose
I've only administered a few different firewalls, though I've looked at the support docs for a couple more, and so far I've yet to see one that's
anywhere
near as hard to configure as your typical Windows app.
There is something deep here, but I'm too confused by trying to navigate all these GUIs, when I KNOW what I want and could enter the command line directly, but the damn GUI won't let me.....
GUIs aren't a must; simplicity is a must. When you have a box that's simple enough to possibly be a good firewall, you don't need or want a GUI.
Right.
The _hard_ part --- which a GUI won't help --- is providing technical assistance in the process of developing the company security policy; this includes educating management about risks and choices in protocols and internet services. Once that policy is done, the firewall config and admin is a piece o' cake by comparison.
Whats the acronym, like ROTFL, for enthusiasm. I'm bouncing up and down in my chair agreeing with you. You've said that well. PLEASE can I quote you everywhere I go. You've really summed this up well. Oh, what about the pointy-haired managers? You know, the ones in the Dilbert cartoons? Do I have to educate them as well?
I think the presence of an easily usable GUI is a *must* for any serious commercial firewall.I think the presence of an elaborate GUI is a warning flag; the vendor has added complexity to try to help people who aren't competant to configure the system. That's bad for security twice. I don't want to be buying products
from
a complany that adds complexity (== room for bugs) to a product to help allow people who don't know enough to do the job right to give the appearance of doing the job.
You know that, I know that, but the manager says "Oh, I can understand that". No he can't, he can only understand the GUI. As you say, if he understood what a firewall was about this would be a warning flag. "Hi, we think you're a bunch of incompetents and we won't let you at the real controls".
What's the difference between a router and a firewall? Well, the difference isn't visible to the kind of clueless putz who wants a GUI.[...] But that doesn't justify the reviewers using the GUI as the #1 index.Now _That_ I do find useful; with them rating firewalls by GUI, you can at least invert their results and get a good first approximation to a reasonable evaluation.
Once again I have to thank you for a brilliant observation which I've missed.
But they don't have any good role I can see on a firewall. But then, I'm
not a
burglar. If I were, I'd certainly encourage people to go with GUIs to let
them
use untrained people to set up their ``firewall''.
I thought we shouldn't talk about money making schemes here. MJR's scheme of selling FW companies short before finding flaws was bad enough. You have an evil mind. In this business you're only required to be paranoid. /anton - smileys omitted for clarity ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | Nothing is more difficult to carry out, The Strahn & Strachan Group Inc | nor more doubtful of success, nor more Information Security Consultants | dangerous to handle, than to initiate a Voice: (416) 494-8661 | new order of things." ---- Machiavelli Fax: (416) 494-8803 |
Current thread:
- Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: Firewall administration. Rick Smith (Oct 09)