Firewall Wizards mailing list archives
Re: Firewall administration.
From: Rick Smith <rsmith () visi com>
Date: Fri, 3 Oct 1997 11:21:28 -0600
I don't think the problem is so much one of GUI versus non-GUI, I think it runs deeper. People will follow the minimum number of instructions to get things going, but once they're done they want to feel confident that they've done the job completely and correctly. This "feeling" is an important part of security. Customers aren't completely satisfied without it. Unfortunately, a cleverly designed GUI will give you that feeling of confidence without actually implementing all the protections you might have wanted or intended. So, in my opinion, the basic technical security problem is one of cognitive modeling. A good administrative interface gives the installer a clear representation of the protection *objectives* he wants to achieve and helps him set up the firewall in terms of those objectives. Only techno-geeks care about ports and packet state bits. The administrators care about controlling traffic direction and type of service, or perhaps even higher level things. So a good interface lets the administrators set up the firewall in terms of interesting goals. You don't need a GUI to do this. However, a GUI can present the installer with a controlled set of options to choose, and in so doing, will convince the installer that all appropriate steps have been taken. A command line interface requires the installer to choose commands individually from a potentially huge set. How is the installer going to know that he has executed every command he should have? This gets back to confidence. The installer is going to need a certain amount of knowledge and training in order to report to his boss that everything is set up correctly, unless the administrative interface gives him confidence that this is true. And security training is more often desired than acquired. Rick. smith () securecomputing com rsmith () visi com "Internet Cryptography" in bookstores http://www.visi.com/crypto/
Current thread:
- Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)