RE: [fw-wiz] Opinion: Worst interface ever.
From: Eugene Kuznetsov (eugene_at_datapower.com)
To: "'Mark Teicher'" <firstname.lastname@example.org>, "'Paul D. Robertson'" <email@example.com> Date: Wed, 6 Jul 2005 09:11:57 -0400
> I recall this argument all to well during the early days of
> implementing firewalls. Customers used to go gaga over some X11
> based UI from some vendor versus a curses based ui, that was simple
> to use and less than 7 or 8 config options and a customer's firewalls
> was up and protecting their network from the baddies.
Exactly... The sad reality is that many (even majority) of people charged
with buying "security products" today will choose a provably insecure
solution (e.g., known exploits) with a "prettier/easier" UI over one that
has better security attributes but less attractive. This gets progressively
worse as you move from Layer2/3 security to Layer7 & up application security
or identity management.
Of course, a great commercial product should and does have both. But the
interesting question for the professional is that if you have a vendor
evaluation matrix that looks like this:
Vendor: UI: Security:
AliceBox B- A
MalloryBox A+ C
What is the choice that gets made? Sadly, it's MalloryBox, almost always.
Because, you know, you can *SEE* what's wrong with AliceBox, while the
security parameters are "subtle" and "subjective".
Before anyone else says it: obviously there's a point where a UI can be so
bad that it compromises the security achievable with it. Paul's example may
fit into that case, but I think it's important to stand up for security as
the first and dominant criteria.
\\ Eugene Kuznetsov, Chairman & CTO : firstname.lastname@example.org
\\ DataPower Technology, Inc. : Web Services security
\\ http://www.datapower.com : XML-aware networks
firewall-wizards mailing list