> Complex security systems are often completely ignored. This is definitely a problem with with more-involved security systems. At one point I obtained a system that had obtained B1 certification to implement a firewall. The firewall worked fine, but I never got the hang of the system administration for the damn thing.
User client-level applications should come with recommended sandbox.conf files that will contain them appropriately. There's already a shortage of systems and network security people, and this stuff should be as easy as possible. ches