On Fri, 21 Jan 2000, David Lang wrote:
> This I have to comment on,
>
> WHY IN THE WORLD DO COMMERCIAL FIREWALL VENDERS DECIDE THAT YOU HAVE TO
> HAVE TWO MACHINES TO RUN A FIREWALL??????
Ouch, you didn't have to shout ;)
> nowdays you need one box to run the firewall and a "management" box to
> configure the firewall (and most of them require that the management box
> be a NT machine even you are installing the unix versin of their firewall.
Yep, mostly because (and this is pure conjecture, but with the benifit of
having sat in meetings with groups of customers of at least one vendor)
large companies with multiple firewalls want to manage them all centrally.
Rather than reproduce the code in two places, they lump it all in one,
where they only have one version of OS support to deal with. This helps
get big sales and cut support costs. Smaller customers, or decentralized
customers lose out.
> I undestand that it is a "nice option" to be able to configure your
> firewall without having to go to the computer room and log into the
> firewall, but why is it becoming mandatory?
Too many people don't believe in not being able to screw with the config
remotely. Even though if they followed good practices, change rate would
be galcial.
> for that matter, while a GUI is handy, especially for beginners, why have
> all the firewall endors now made it so that it is not possible work
> without a GUI? Last I checked X was not considered a "safe" protocol, but
> now it is _REQUIRED_ to be run on your firewall!
It's easier to sell glitz than security. The firewall market has proven
this many, many times in the past.
> As for GUI being the "proper" or "best" way to configure a firewall, that
> very much depends on what you are doing. I am in the process of replacing
Welcome to the GUI vs command line debate.
On the left we have competent administrators and command lines.
On the right, we have people who don't know about computers and mice.
We can train the left hand group to point and click, we can't train the
right hand group to think. The right hand group is cheaper.
Once the right hand group has figured out that they can't really
administer <product> without people who can think, we'll switch to <Next
Version> on the right.
> a firewall based on the FWTK with a Raptor firewall`, this is an internal
> firewall that is passing odd stuff so I am limited to useing the plug-gw
> or Generic Service Proxy (I realize this provides limited security, but it
> does port/IP limits and IP isolation, no non-custom proxy or firewall will
> do any better) With the FWTK I needed to add 1 line to two files (proxy
> config and startup) and much of this can easily be scripted with Raptor I
> need to go to 5-6 different windows and make ~30 mouse clicks that cannot
> be scripted to do the same thing. But Raptor is "better" it is "easier to
> manage" becouse it is a commercial product and has a nice GUI
I'd bet that if you diff the config files before and after, you'd find a
way to script it unless Raptor has completely changed over time. It's
been a bunch of years since I configed a Raptor box though.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
