Firewall Thoughts

The first firewall I administered was Gauntlet running on a version of x86 BSD provided by that company. Since then I’ve worked with Cisco PIX, IPCHAINS on Linux and ISA Server 2000/2004.

When I first encountered PIX, I was going through a hardcore command line phase. My enthusiasm at the time certainly helped me get on top of the PIX OS. However I’m not sure how easy someone new to firewall administration would find PIX. Of course, one can argue that if you are new to it, you shouldn’t be administering a firewall at all! On the other hand, sometimes people have no choice but to jump in at the deep end and swim as best they can. That’s how I learned Gauntlet firewall. I was settling in to a new job and my manager mentioned this new responsibility as an afterthought. His attitude was “you are a geek, you’ll figure it out”. As my favorite author, Terry Pratchett, once said:

“It was not so much life in the fast lane as it was life in oncoming traffic.”

I recently finished working on the ISA Server 2004 MCSE exam training kit for Microsoft Learning. When writing such a book, you get deeply immersed in the software. Getting that close, you either love it or hate it. There is little room for ambivalence. In working with ISA Server 2004 it often occurred to me was that not only was this a cool product, but the interface was intuitive enough that it also made a good teaching tool. A high point of ISA Server 2004 is its interface. I think that someone new to firewall administration thrown in the deep end with ISA Server 2004 would probably have a better chance at swimming than they would if they’d been thrown in with a command line firewall such as IPCHAINS or PIX. That isn’t to say that the interface is the only cool thing about ISA Server 2004, there are a lot of other nifty things, but the interface is what this comment is mostly about.

It would be great if everyone that got the job of looking after a firewall knew the difference between a port and a packet, but in real life it doesn’t always happen that way. Although I once thought that anything administered from the command line was naturally more secure than anything administered through a GUI, today I don’t believe that is the case. As I said elsewhere, being difficult to configure does not necessarily make a product more secure. What is important is being able to quickly spot and diagnose configuration problems that might post a threat to your organization. Some people have an amazing ability to do that via the command line. Odds are though that someone new to the product is going to be better able to do that via a GUI.