The problem is not with the manual editing per se, but with the possibility
that you could make a mistake and open services on your firewall that you
really don't want opened. I just had the impression that the file was a
bit complicated and that it would be relatively easy for someone to screw
up. This is similar to the problem with Cisco access lists. Yes, you CAN
configure them correctly, but in 75% of the security reviews I've done,
there was at least 1 mistake in the Cisco ACL.
Also, I believe that if you have multiple TIS firewalls, you'll need to
move these files between machines and manually reconfigure them. If that
is the case, then this introduces yet another place for a possible
misconfiguration.
-- terry --
At 6:26 AM -0800 12/5/96, Peter da Silva wrote:
>> The GUI is useful, however, many administrative type processes still
>> require manual hacking. For example, if adding a generic proxy the
>>users now
>> have to go in and modify /usr/local/etc/mgmt/rc/* files.
>
>If there is a good editor available, why is this a problem?
>
>Novell administration requires manual editing of files now and then, but it
>seems to be quite within the grasp of PC network admin types. Just because
>there's not a specific GUI editor that doesn't make it "too hard" for naive
>users.
>
>(IMHO the biggest advantage of GUIs for administrative work is it lets your
>sales reps give impressive demonstrations. For systems bigger than a single
>workstation the fact that you're unable to do editing tasks that weren't
>explicitly programmed into the GUI is a big hindrance. For example, in NT's
>User Mangler... what if I want to just list the users with disabled accounts?)
>
>((I gave up and added a (disabled) entry to the comment field))
----------
Terry Bernstein
SRI Consulting
terry_bernstein @
sri .
com
http://www.ice.sri.com/~terry
<mailto: tbernstein @
sri .
com>
References:
|
|
