RE: [fw-wiz] Opinion: Worst interface ever.

From: Eugene Kuznetsov (eugene_at_datapower.com)
Date: 07/06/05

  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
    To: "'Mark Teicher'" <mht3@earthlink.net>, "'Paul D. Robertson'" <paul@compuwar.net>
    Date: Wed, 6 Jul 2005 09:11:57 -0400
    
    

    > I recall this argument all to well during the early days of
    > implementing firewalls. Customers used to go gaga over some X11
    > based UI from some vendor versus a curses based ui, that was simple
    > to use and less than 7 or 8 config options and a customer's firewalls
    > was up and protecting their network from the baddies.

    Exactly... The sad reality is that many (even majority) of people charged
    with buying "security products" today will choose a provably insecure
    solution (e.g., known exploits) with a "prettier/easier" UI over one that
    has better security attributes but less attractive. This gets progressively
    worse as you move from Layer2/3 security to Layer7 & up application security
    or identity management.

    Of course, a great commercial product should and does have both. But the
    interesting question for the professional is that if you have a vendor
    evaluation matrix that looks like this:

    Vendor: UI: Security:
    AliceBox B- A
    MalloryBox A+ C

    What is the choice that gets made? Sadly, it's MalloryBox, almost always.
    Because, you know, you can *SEE* what's wrong with AliceBox, while the
    security parameters are "subtle" and "subjective".

    Before anyone else says it: obviously there's a point where a UI can be so
    bad that it compromises the security achievable with it. Paul's example may
    fit into that case, but I think it's important to stand up for security as
    the first and dominant criteria.

    \\ Eugene Kuznetsov, Chairman & CTO : eugene@datapower.com
    \\ DataPower Technology, Inc. : Web Services security
    \\ http://www.datapower.com : XML-aware networks

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"

    Relevant Pages

    • Re: Defense in Depth
      ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
      (Security-Basics)
    • RE: Wireless Security for Home Users
      ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
      (Security-Basics)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
      (Full-Disclosure)
    • RE: IDS is dead, etc
      ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
      (Focus-IDS)
    • PenTest Checklist
      ... wanted to know what your favorite tools/methods are for testing methods ... F- Web App Testing - tests website as an application for security holes, ... all firewalls should be tested together and ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
      (Security-Basics)