Re: Time for a new FWTK?

[Mike Shaver <shaver () netscape com>]

Bennett Todd wrote:
> For
> several years thereafter it required a multi-discipline expert, strong
> in security programming, networking, OS configuration, and so on to set
> up a firewall. Then Cheswick&Bellovin came out, then Chapman&Zwicky,
> then various nicely-packaged portable easy-to-use tools, then the LDP
> Firewall HOWTO, and all of a sudden any random shmoo can make a
> state-of-the-art firewall out of some used bubble-gum and a couple of
> asphault shingles, using only tools found around the home. The magic and
> mystery has gone out of it.

Hmmm.  I don't think there's all that much of a sea change, although
firewall vendors would certainly have you believe that there have been
great technological leaps forward!

It's pretty much always been the case that anyone with decent C skills
and a basic knowledge of their network could put together a rudimentary
firewall.  (I suspect the amount of effort involved in installing fwtk 3
years ago is about equivalent to the amount of effort required for
buzzword decoding and vendor selection today.)

The problem was (and remains) developing policy and a keen eye for
discerning subtle differences between policy and enforcement.  I'm not
sure how we got along in the early days...perhaps we got lucky, because
the people clued-in enough to care about firewalling were also clued-in
enough to make those distinctions?

I don't know that NFR (right now) saves us from having to develop policy
-- although having a snapshot of current usage could certainly help --
but it could easily provide a handy policy/implementation matching tool.

Mike