Re: Opinion: Worst interface ever.

[StefanDorn () bankcib com]

"Paul D. Robertson" <paul () compuwar net> wrote on 07-05-2005 09:16:07 AM:

> But what counts as specific?  Is a port more or less specific than an
> address?  Is a protocol less specific than a user?  If they do an ASIC
> rev, is my happy little ruleset going to do something different if I 
have
> to replace a box?

A rule allowing connections from a specified IP over a specified port to a 
specified IP and port will be considered overall more specific than 
something allowing any IP to connect to a certain IP and port. As far as 
protocol, I assume they aren't being included in the equation; for users, 
two rules that are the same, but one specifying certain users should take 
priority over the more general one, for those users. Basically, it seems 
like anything that could be considered 'more specific' will add weight to 
a rules' being processed ahead of another rule. They really just need 
something added into the management UI that considers your rules, weighs 
them in, and ranks them with the same logic as the firebox is using on 
them.

 
> I think their marketing department needs smacked.  I didn't even start 
to
> go on about having three interfaces in the box I can't use unless I pay
> more money.

I was saddened when I found out that three of the ports are just for show 
until I shell out more cash. When I purchase a piece of hardware, I expect 
to be able to use the features that are available on it. If I need an 
upgrade, I expect to buy an expansion card, or a new unit. Since the 
Fireware Pro package allows for multiple WAN connections and fail-over 
options, the interface upgrade cost is just another item that will hold me 
back on upgrading to Fireware.

> I'm glad I'm not the only one left with that impression.  I'm going to 
go
> back over my personal evaluation criteria and tweak the support parts to
> match what I see as good.  I also think that I'm going to go back to
> building more open source based firewalls- the idea behind a commercial
> product is support and consistency.  I'm not seeing good things in 
either
> department.

In all fairness, I think WatchGuard is trying pretty hard to create a good 
product. The WFS series of management software seems oriented towards 
people just starting to get involved with enterprise grade firewall 
administration, and in the grand scheme of things is pretty easy to get up 
and running, albeit only modestly secure if the admin doesn't know what 
they are doing. (But that's user error, not really WatchGuard's fault.) 
With the Fireware Pro line, they definitely are attempting to create a 
package geared towards more expert users. I can appreciate that, but I 
think I'm going to let it mature a while longer before I consider using it 
in a production environment.

Stefan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards