[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: web interface?

On Tue, 2004-06-15 at 01:25, Petr Ruzicka wrote:
> No, you would be suprised. 
no I wouldn't ;)
> I have spoken to a lot of IT managers, CSO
> etc. and they would choose former. No matter what I say, no matter what
> I do and use, lots of them will choose gui/html over ssh/vi...
> Some people just do like nice and colorful GUIs and prefer them to clean, simle and secure.
I think this is a case of horses for courses. A good firewall with a
possibly less secure web based management platform is definitely better
than no firewall at all and is arguably better than one with the simple
interface if it means that it gets updated appropriately in a timely
There are many folk out there who have never worked at a command line at
all (yet still call themselves IT professionals) -- come to think of it
most of the people in our IT organisation have never used anything but a
I think that the OBSD folk have it right, they concentrate on building
the base system and on getting it "Right".  Others can then add bits on
to better fit various niches in the 'market'. 
I have modified our homegrown network management system
(apache/perl/mysql) to manage our pf firewall.  The system generates the
pf.conf file which is then copied (via scp) to the firewall and the
pfctl command done via ssh.  The next step is to just do the table and
updates rather than load the whole ruleset every time.  Someone has
written a daemon to manage the rule changes on the firewall we may well
use that. And yes, that will introduce more possible weaknesses into the
systems but these risks are justifiable in our environment, in others
they may well not be.
Remember that security is not a one size fits all job.
We have entries for about 8,000 machines on our fw (thanks for the
tables folks!!) and these are updated by about 100 IT staff scattered
over campus and there is no way we could do this with just ssh and vi!
It might interest folk to know that out of those 8000 systems only about
300 have any form of inbound access configured and the bulk of those are
http and this is the local SA's choice, not mine.
There are several thousand other systems that have no access at all
through the firewall.
Cheers, Russell
Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.