Firewall Wizards mailing list archives
Re: Firewall administration.
From: Rik Farrow <rik () spirit com>
Date: Fri, 3 Oct 1997 11:56:39 -0700 (MST)
Firewalls are intended to be security devices, and are supposed to help keep networks safe. What I find disturbing is the most popular firewall products are actually designed in an unsafe manner. That is, the person configuring the firewall is encouraged to do the wrong thing. I have come up with what I call Farrow's corrolary to Murphy's law: good designs are difficult or impossible to use in an unsafe manner. Let's look at an example which has nothing to do with firewalls, but does provide an excellent example of unsafe design. In the fifties, one large car manufacturer designed car door handles which locked if you pressed them down, and unlocked and opened when pulled up. A competing manufacturer inverted the design: by pressing down on the handle, the door unlocked then unlatched, and pulling up on the handle locked the door. In the fifties, only race car drivers wore seatbelts. Ordinary car passengers were considered lucky if they were thrown clear (well, through the windshield) in case of a collision. Children rode in the back seat, a wide, featureless, bench, and could be rolled from side to side when going around corners. In cars with the second design, it was common for the kiddies to fall against the door, press down on the handle (opening the door), and fall out of the turning car. The door design, which unlocks and opens when someone depresses (or falls against it), is a good example of an inherently unsafe design. Now for firewalls. Many firewall products include point-and-click support for passing dangerous services through the firewall. By Farrow's corrolary, these firewalls are designed unsafely--it is easy, even trivial, to do the wrong thing. Given the public's general belief that having a firewall "makes their network safe", firewalls providing an interface which makes DOING THE WRONG THING EASY should be avoided. While having a GUI is not necessarily evil in itself, having any interface which makes it easy to configure a firewall in an unsafe manner is evil... Rik Farrow rik () spirit com
Current thread:
- Re: Firewall administration. Anton J Aylward (Oct 01)
- Re: Firewall administration. Rick Smith (Oct 03)
- <Possible follow-ups>
- Re: Firewall administration. Rik Farrow (Oct 03)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Interface (was Firewall administration and thoughts) David Collier-Brown (Oct 06)
- Re: Interface (was Firewall administration and thoughts) Mark Teicher (Oct 06)
- Re: Firewall administration and thoughts cont. Mark Teicher (Oct 04)
- Re: Firewall administration. Anton J Aylward (Oct 04)
- Re: Firewall administration. Rick Smith (Oct 09)
- Re: Firewall administration. Bennett Todd (Oct 09)
- firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 10)
- Re: firewall configurator Was: Firewall administration. -= ArkanoiD =- (Oct 11)
- Re: firewall configurator Was: Firewall administration. Magossa'nyi A'rpa'd (Oct 12)
- Re: Firewall administration. Rick Smith (Oct 09)