Firewall Wizards mailing list archives
Re: Firewall administration.
From: John McDermott <jjm () jkintl com>
Date: Mon, 6 Oct 97 08:53:47
--- On Fri, 3 Oct 1997 11:56:39 -0700 (MST) Rik Farrow <rik () spirit com> wrote:
Firewalls are intended to be security devices, and are supposed to help keep networks safe. What I find disturbing is the most popular firewall products are actually designed in an unsafe manner. That is, the person configuring the firewall is encouraged to do the wrong thing.
This is my experience also.
I have come up with what I call Farrow's corrolary to Murphy's law: good designs are difficult or impossible to use in an unsafe manner. Let's look at an example which has nothing to do with firewalls, but does provide an excellent example of unsafe design.
<Very good example deleted>.
Now for firewalls. Many firewall products include point-and-click support for passing dangerous services through the firewall. By Farrow's corrolary, these firewalls are designed unsafely--it is easy, even trivial, to do the wrong thing. Given the public's general belief that having a firewall "makes their network safe", firewalls providing an interface which makes DOING THE WRONG THING EASY should be avoided.
The real issue as I see it (and the issue on which I would like to see firewall products evaluated) is, "How easy is it to implement the organization's security policy correctly." The two operative items here are "security policy" and "correctly". Security Policy. I will not beat this to death as others have said it before, but the goal of a firewall is to help implement a security policy. It cannot, of course, implement all of a policy. The problem comes with clients such as the one who told me "This is the real world. Writing a security policy takes time I don't have. All we can say is that we want to be secure." He works for a fairly large company. After two years neither he nor his management has been willing to create a policy or hire someone to do it for them. When I teach about firewalls, I try to emphasize the importance of a good policy. About three years ago when I started teaching about security, many of the students had not even heard of security policy, now in my firewalls course about 25% have some sort of policy. Things are getting better, but this is an area where we still really need to get the word out. Correctly. I like Rik's approach. Firewall products should make it hard to do the wrong thing either easily or "by accident". Operating systems and firewall products should be easy to configure in some kind of secure way at install time. Clearly, one cannot have a product ready to match all possible policies out of the box, but some "least common denominator" should be the out-of-box default. One issue to which I virtually always return is that of stance: for most of us "everything which is not explicitly permitted is prohibited" is generally correct. Product vendors should make that their mantra...
While having a GUI is not necessarily evil in itself, having any interface which makes it easy to configure a firewall in an unsafe manner is evil...
I second that.
Rik Farrow rik () spirit com
--john -----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: Firewall administration., (continued)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Message not available
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)