RE: [fw-wiz] Opinion: Worst interface ever.

From: Eugene Kuznetsov (
Date: 07/06/05

  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
    To: "'Mark Teicher'" <>, "'Paul D. Robertson'" <>
    Date: Wed, 6 Jul 2005 09:11:57 -0400

    > I recall this argument all to well during the early days of
    > implementing firewalls. Customers used to go gaga over some X11
    > based UI from some vendor versus a curses based ui, that was simple
    > to use and less than 7 or 8 config options and a customer's firewalls
    > was up and protecting their network from the baddies.

    Exactly... The sad reality is that many (even majority) of people charged
    with buying "security products" today will choose a provably insecure
    solution (e.g., known exploits) with a "prettier/easier" UI over one that
    has better security attributes but less attractive. This gets progressively
    worse as you move from Layer2/3 security to Layer7 & up application security
    or identity management.

    Of course, a great commercial product should and does have both. But the
    interesting question for the professional is that if you have a vendor
    evaluation matrix that looks like this:

    Vendor: UI: Security:
    AliceBox B- A
    MalloryBox A+ C

    What is the choice that gets made? Sadly, it's MalloryBox, almost always.
    Because, you know, you can *SEE* what's wrong with AliceBox, while the
    security parameters are "subtle" and "subjective".

    Before anyone else says it: obviously there's a point where a UI can be so
    bad that it compromises the security achievable with it. Paul's example may
    fit into that case, but I think it's important to stand up for security as
    the first and dominant criteria.

    \\ Eugene Kuznetsov, Chairman & CTO :
    \\ DataPower Technology, Inc. : Web Services security
    \\ : XML-aware networks

    firewall-wizards mailing list

  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"