Re: Firewall administration

[Anton J Aylward <anton () toronto com>]

At 12:44 PM 06/10/97 -0400, David Collier-Brown wrote:
## Reply Start ##
>       I'm empasizing the **opposite**.  Whenevevr you turn on
>       something that is ``easy'', you get faced with the hard,
>       physical fact that you've just done something risky.  
>
>       If a form-based interface makes it easy to make mistakes,
>       then make the mistake part of the form.  It verges on obvious
>       (but only if you look at it from the point of view of an
>       ergonomist or a security officer, not a developer).
>
>       I've had to fight many times with programmers who made
>       the easy part easy, and the hard part **more** difficult.
>       Sometimes impossible.  Forcing the results into the
>       equation is one of the ways I keep them under control.

One of the UNIX old timer adages is that the easy stuff 
should be easy and the hard stuff should be easy as well ;-)
DC-B, being on the order of an old timer remembers this and 
has my full support for lampooning programmers who indulge in 
<insert word for unproductive self amusement with sexual connotations>
with code.

I'd go further.
I've already mentioned my gratification in dealing with the AXENT 
rule based audit system for UNIX.  You start off with a baseline
"policy" which can be one of the vendor supplied one or one you've
created using the policy editor.   It then tells you how the system
doesn't conform.   You can then add exceptions.   Press a button
and you get a report - what's your baseline and what's your
deviation from the baseline.

In firewall terms the baseline is your policy.

Now doesn't this make more sense than the way GUIs are working at the moment?

OBTW: The Axent interface is a GUI.  While its not perfect, its far better
than any firewall GUI interface I've met.

/anton

## Reply End ##