A little green man told me Adrian Knight said:
> 2) We don't want to hire a rocket scientist to manage our firewall. A
> message earlier referred to firewalls being "necessarilly technical."
> That's bogus. I think it's possible that a lot of people making money off
> of firewalls might want to keep them that way, but there are a lot of
> average people out there who want to AND CAN handle managing a firewall
> right along with the MANY other types of systems that are also included in
> our job responsibilities. In this age of computers, it is no longer valid
> to try to convince people that computers are just too complicated for the
> average person.
> Because our firewall is on an NT platform and has a good GUI, I can be
> gone for a couple of weeks and even my boss, a manager, can sit down and
> make changes to the firewall comfortably. Several other people in the
> computing department with the passowrd could do the same if they had to.
> After two years, nobody else could sit down to my Solaris box and do
> anything except manage to shut things down.
Oh boy, where's my soapbox. Grrr...
I'll give you #1 and #3. The fact that your expertise is with Windows NT
rather than Unix and the price comparison of the system hardware and software
were both valid factors to be considered in your decision.
This shows a very naive view of security. Your argument about vendors
realizing that computers and software are too complicated may be valid for
the end-user, but important systems such as security systems are much
different. They are necessarily technical because they are only tools.
Improved user interfaces or programming logic are a long way from being able
to completely replace a skilled individual making decisions on technical
issues. Personally, I doubt they ever will. Computers can decrease the
amount of time it takes to perform a task or reduce the complexity of
managing a task but will never eliminate the need for expertise in a
It is quite possible to comfortably make changes to a firewall and end up
with an insecure configuration and be none the wiser. The same holds for
trading systems, medical systems, etc. They essentially magnify the skill of
the person using them. If the operator is clueless, the system will often
be perfectly willing to let them to do foolish things. I know of no
commercial firewall on any platform that will totally prevent an
administrator from setting up an insecure configuration.
If anybody who is permitted to make changes to a firewall does not have a
thorough understanding of "technical" security issues then their problems
will not be solved by ANY product. Even a fool can be sincere in their
Claiming that managing a firewall shouldn't require significant expertise
contradicts your first reason for choosing NT. It is no more or less
difficult in general to properly administer a Windows NT environment than a
Solaris environment. Windows NT does not even come close to the goal of
being easily managed compared to any other major OS. Look at the level of
in-depth knowledge that Russ displays about NT security. Particular tasks
are easier in one or the other environment but I would want equally skilled
administrators in either environment
(I am part of a team that manages a large mixed NT and Solaris environment
with a significant investment in both operating systems. I am the principle
member of the team who works heavily with both. This provides its own unique
challenges. See my .sig ;-)
The OS issue is much less important than a thorough understanding of
security implications. Unfortunately, a lot of people are spending far too
much time debating the platform when it doesn't really matter as long as it
can cover security requirements to some verifiable extent that satisfies an
organization's risk management objectives.
I was much more verbose than I intended to be, but that's what happens when
somebody pushes my vent button. It's really sad to think that I'm probably
not biting on a troll either.
Paul M. Cardon - System Officer
Capital Markets Systems - First Chicago NBD Corporation
com - (312) 732-7392
Sisyphus and loving it.
I never give them hell. I just tell the truth and they think it's hell.
- H. Truman
MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e