Shorewall users - Apr 2002 - Re: Shorewall-users digest, Vol 1 #122 - 10 msgs

--__--__--

From: "Jim Hubbard" <jimh@xlproject.com>
Subject: RE: [Shorewall-users] Parameterized Samples Withdrawn

--__--__--
>rather the user read and understand the whole thing first.  The newbie just
>wants it to work; he doesn''t care how, how well, or why right now
because
>he''ll read the docs and tweak his setup later (maybe).  Newbies
don''t want
>to read and understand, we want a sample and some quick pointers for common
>setups.  Once our firewall is running and everything still works, THEN
we''ll
>read.  It''s kinda like those instructions that came with your
kid''s bike.
And here-in lies the problem.  Sure, people like the ones that represent a good
portion of this list will set something up and go back to tighten up the
loopholes
after browsing the documentation.  However, it''s the newbies who
"just want
it to work" that are going to cause the most problems because they
won''t
go back an read the documentation.

You could give most of these people a firewall ruleset that allows everything
throught and as long as they get a "Shorewall Started [    OK   ]"
they''ll think
they have a secure system.

This is the same reason we have all these IIS server problems (aside from MS
not properly auditing their code).  You install a NT/2k server with IIS and it
automatically starts without much if any configuration needing to be done
by the user.  You now have a perfect target for code red or whatever else
comes along.  The same problem was seen with earlier versions of sendmail
that came defaulted to being an open relay.  People saw that sendmail started,
it worked for them, and except for the sysadmins who realized this was a
problem,
nobody tweaked their settings.

As you can guess, I can see where Tom is coming from.  Before running anything
like this, one should have an idea of how it''s all supposed to work and
hopefully
have an idea of how to alter it.


------------------------------------------------------------------
Mark Hoover
District Network Engineer
Norfolk Public Schools
628-3450

On Tue, 09 Apr 2002 08:38:10 -0400
"Mark Hoover" <mhoover@nps.k12.va.us> wrote:
> You could give most of these people a firewall ruleset that allows
> everything throught and as long as they get a "Shorewall Started [   
OK
>   ]" they''ll think they have a secure system.
If their situation is straightforward enough and it''s a good ruleset,
presumably they will have a secure system.  It''s surely only the more
complex systems that require the extra work you refer to.  I guess I
potentially confused the issue here by originally referring to
''newbies''.
A newbie might in fact have any of a range of machine configurations. What
I''m really concerned about are those people who have very simple,
straightforward, systems where mastering a complex documentation, much of
which doesn''t apply to them, isn''t justified.

- Richard.
-- 
Richard Kimber
Political Science Resources        http://www.psr.keele.ac.uk/

UK-Euro FAQ          http://www.psr.keele.ac.uk/docs/efaq.htm

On Tue, 9 Apr 2002, Richard Kimber wrote:
> On Tue, 09 Apr 2002 08:38:10 -0400
> "Mark Hoover" <mhoover@nps.k12.va.us> wrote:
>
> > You could give most of these people a firewall ruleset that allows
> > everything throught and as long as they get a "Shorewall Started
[    OK
> >   ]" they''ll think they have a secure system.
>
> If their situation is straightforward enough and it''s a good
ruleset,
> presumably they will have a secure system.  It''s surely only the
more
> complex systems that require the extra work you refer to.  I guess I
> potentially confused the issue here by originally referring to
''newbies''.
> A newbie might in fact have any of a range of machine configurations. What
> I''m really concerned about are those people who have very simple,
> straightforward, systems where mastering a complex documentation, much of
> which doesn''t apply to them, isn''t justified.
>
This again says to me that we need better entry level documentation with
examples. I''m not objecting to the idea of easy to modify sample
configurations; what I dislike about the current samples is that they
unnecessarily try to simplify something that isn''t complex to start
with and they do so by introducing a totally different configuration
interface. We are thus left with two configuration interfaces:

- The sample configurations which make it simple to do a few simple things
but impossible to do anything else. The parameterized technique does not
extend well to cover the many things that Shorewall can do.

- The native configuration interface which is very flexible but currently
imposes a steep learing curve.

I feel that by continuing to offer the current samples, I am leading
people into a dead-end solution that may serve their needs in the short
term but that will ultimately prove inadaquate.

I am going to withdraw from this debate now and spend what free time that
I have to work on the "Shorewall QuickStart Guide" that I started last
evening.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net