Re: Opinion: Worst interface ever.

[Jan Tietze <jan () planet-pinguin de>]

Paul D. Robertson schrieb:

> On Tue, 5 Jul 2005 StefanDorn () bankcib com wrote:
>  
>
> > > I can't even imagine trying to audit the "we'll pick the most exact
> > >      
> > match"
> >    
The target audience of the Firebox really doesn't know what an audit is. 
They usually also don't have much of a budget.

> > > ruleset evaluation of one of these beasts.  If I thought there was any
> > > chance the old software would work with the new box, I'd be loading that
> > > tomorrow.  My "same vendor" rationale is right out the window- the two
> > > products aren't even close- other than the fact they're both red.  
Since this came up a lot - AFAIK the Watchguard Firebox X series is not 
ASIC-based, but based on readily-available x86-style hardware in a nice 
red box that mounts in your favorite data center rack and looks really 
pretty. It still has mostly the same software on it that used to work in 
their previos appliances (Firebox 10/100/II/III series), and that means 
it shares the unholy heritage of their rather "unconventional" approach 
to rulesets. The ASIC-based Vclass offerings were originally RapidStream 
boxes, and they use a totally separate piece of management software that 
uses a more traditional approach for ruleset ordering. The Firebox 
series really is a SMB device targeted at someone who is so unfamiliar 
with firewalls that he won't notice the difference compared to other 
firewalls anyway.

> > The 7.x series of software does this- precedence is based on how specific
> > each rule is. The most specific rules are evaluated first, and so on. Of
> >    
> But what counts as specific?  Is a port more or less specific than an
> address?  Is a protocol less specific than a user?  If they do an ASIC
> rev, is my happy little ruleset going to do something different if I have
> to replace a box?
>  
This used to be in their documentation. Also, while we're at it - what's 
"incoming" and "outgoing"? They *did* change that once between releases. 
Their Firebox II/III boxes used to have 3 NICs only, one for External, 
one Trusted, one Optional (DMZ) network (this alone should tell you 
something about the target market). Basically, incoming and outgoing are 
arranged like this:

Trusted -> Optional -> External
---------- outgoing ----------->
<-------- incoming -----------

However, things get very interesting when you are having VPN users or 
sites, because that doesn't fit in very well in this logic, and it was 
also changed recently.

One thing you should do when creating a ruleset in WFS (don't know about 
8.0, but for pre-8.0, this is true) to avoid confusion about ruleset 
ordering is create rulesets like this:

<TRU|OPT|EXT|VPN>-<TRU|OPT|EXT|VPN>-ServiceName

with only one of "Incoming" and "Outgoing" set to "enabled and allowed", 
and the other set to "Disabled". This means for each given service and 
direction, you can only have a single "service icon" match. This might 
end up with rules that are too permissive (ie. you wish to enable 
communication between to hosts Trusted_A and Optional_B as well as 
Trusted_B and Optional_C, but not Trusted_A and Optional_C), which is 
when you should just create another rule of the same kind (preferrably 
with a somewhat descriptive suffix). When following this nomenclature, 
you won't create rules that are too permissive, and can work around the 
magic ruleset ordering problem (just one rule for each service, ruleset 
of evaluation doesn't matter anymore). It sure isn't pretty though, but 
when you have lots of rules, the nomenclature also helps you find the 
rule you seek.

> > course, the software itself does nothing to show you the order they are
> > in. I think I recall reading that in the newer "Fireware Pro" software,
> > you can manually set precedence. Maybe it hasn't been implemented yet.
> >    
> I think their marketing department needs smacked.  I didn't even start to
> go on about having three interfaces in the box I can't use unless I pay
> more money.
>  
In all fairness, that's really not that unusual, given that some license 
their products on throughput etc.

> > > While I'm ranting- what's with support hours from 9-6pm *at my
> > > location*?
> > >      
You could get Gold support and 24x7 support hours ;-) Also, if you 
purchased from a Watchguard partner, you should be able to get some help 
from them. And getting access to the support website also shouldn't be 
very difficult with a LiveSecurity key (don't expect too much from it 
though; the known issues list is notoriously incomplete...).

> > > Hello Watchguard- firewalls are *production* boxes, downtime doesn't get
> > > scheduled for when the users are still working!
> > >      
> > The good news is, they have a support forum with some pretty helpful
> > Watchguard people moderating it, and even a few customers who try to help
> > people out. Bad news is, I've yet to get a question completely answered
> >    
They have a forum, yes, but the s/n ratio is terrible and the overall 
quality of the responses even by Watchguard support personnel is far 
from impressive.

> > via their incident response system. Barring disaster, I generally try to
> > figure a problem out myself, since every time I contact support they
> > immediately request that I let them connect and play with the
> > configuration..which isn't going to happen. It makes me wonder if
> >    
The next suggestion by their support is going to be "just rebuild the 
configuration from scratch and see if the problem goes away". Either try 
to find a knowledgeable person with the partner you purchased the box 
through, or demand to have the ticket escalated to second level.

> > outsourcing can really be worth it, considering the fact that it generally
> > results in customers getting irritated with it and then requesting a US
> > representative anyway. Why not just get it right the first time?
> >    
> I'm glad I'm not the only one left with that impression.  I'm going to go
> back over my personal evaluation criteria and tweak the support parts to
> match what I see as good.  I also think that I'm going to go back to
> building more open source based firewalls- the idea behind a commercial
> product is support and consistency.  I'm not seeing good things in either
> department.
>  
At one point I had to work with Watchguard firewalls most of the time. 
They really are oriented towards beginners for whom network security is 
a relatively new field and part-time duty of their job. I'm seeing some 
great products with rather good management software. I don't share your 
pessimistic view of the commercial firewall vendor space, and I 
certainly wouldn't want to go back to building firewalls myself from 
open source components again though - there's so many things to worry 
about (logging securely, log file management, distributed firewall 
management, clustering, VPN inteoperability, link redundancy, patch 
management..., remote upgrades, downgrades...) that I'd much rather pick 
a commercial solution with a reasonable architecture and management.

I'm also pretty sure that you are mixing up their Vclass and Firebox 
product lines. They have nothing in common AFAIR.

-- Jan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards