RE: [fw-wiz] Opinion: Worst interface ever.

From: Eugene Kuznetsov (
Date: 07/06/05

  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"
    To: "'Mark Teicher'" <>, "'Paul D. Robertson'" <>
    Date: Wed, 6 Jul 2005 09:11:57 -0400

    > I recall this argument all to well during the early days of
    > implementing firewalls. Customers used to go gaga over some X11
    > based UI from some vendor versus a curses based ui, that was simple
    > to use and less than 7 or 8 config options and a customer's firewalls
    > was up and protecting their network from the baddies.

    Exactly... The sad reality is that many (even majority) of people charged
    with buying "security products" today will choose a provably insecure
    solution (e.g., known exploits) with a "prettier/easier" UI over one that
    has better security attributes but less attractive. This gets progressively
    worse as you move from Layer2/3 security to Layer7 & up application security
    or identity management.

    Of course, a great commercial product should and does have both. But the
    interesting question for the professional is that if you have a vendor
    evaluation matrix that looks like this:

    Vendor: UI: Security:
    AliceBox B- A
    MalloryBox A+ C

    What is the choice that gets made? Sadly, it's MalloryBox, almost always.
    Because, you know, you can *SEE* what's wrong with AliceBox, while the
    security parameters are "subtle" and "subjective".

    Before anyone else says it: obviously there's a point where a UI can be so
    bad that it compromises the security achievable with it. Paul's example may
    fit into that case, but I think it's important to stand up for security as
    the first and dominant criteria.

    \\ Eugene Kuznetsov, Chairman & CTO :
    \\ DataPower Technology, Inc. : Web Services security
    \\ : XML-aware networks

    firewall-wizards mailing list

  • Next message: David M. Nicksic: "RE: [fw-wiz] Cisco PIX Version 6.3(3) SMTP Problem"

    Relevant Pages

    • Re: Defense in Depth
      ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
    • RE: Wireless Security for Home Users
      ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
    • RE: IDS is dead, etc
      ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
    • PenTest Checklist
      ... wanted to know what your favorite tools/methods are for testing methods ... F- Web App Testing - tests website as an application for security holes, ... all firewalls should be tested together and ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...