Firewall administration.

[Darren Reed <darrenr () cyber com au>]

Anton, I think there's other factors here which contribute to the
"personel" problem.  One of them is what the firewall & Internet
connection provide _to_ the company (in terms of $$).

At the moment, it's primary access to email, WWW and other Internet based
resources.  What value does that have to a multi-billion $ company ?  And
in smaller companies where there is increased pressure to make sure there
is a profit being returned, the availability of budget money may not be a
part of the current scheme of things.  Why ?  Well, I partly think this is
due to the commodity nature of firewalls.

If my manager decides tomorrow that he wants an Internet connection and
firewall yesterday, has budget for the equipment but balks at the suggestion
of another $50k/yr staff member (who will have little or no direct role in
increasing the revenue of the company), do you think he'll put off the
purchase of the equipment & connection until HR can find and employ the
right person ?

And that leads us to the current dilema many are noticing.  Reviews of
firewalls based on the GUI 1st and security 2nd.  Why ?  Because firewall
experts are costly (if they even want to work permanently!) and training
a person to the required level is also going to be quite costly.  Thus
relying on skilled people to configure them is to nobody's advantage so
the presence of user-friendly interfaces becomes a must.  Even then, if
that person leaves, what next ?

I think the presence of an easily usable GUI is a *must* for any serious
commercial firewall.  It should make it *hard* for the user to do things
which will create security problems (but not impossible!) and *easy* for
them to configure their firewall securely.  But that doesn't justify the
reviewers using the GUI as the #1 index.

Darren