Re: Opinion: Worst interface ever.

[Adam Jones <ajones1 () gmail com>]

On 7/5/05, Marcus J. Ranum <mjr () ranum com> wrote:
> Paul D. Robertson wrote:
> > The new Watchguard software "automatically" decides ruleset evaluation
> > order, and there's no easy way that I can find to figure out what order
> > something's going to be evaluated in.
>
> That's a chip-head thing, Paul. Remember - it's all about performance,
> not security. By re-ordering the ruleset the firewall can evaluate the
> rules in the fastest possible manner. I had this explained to me once
> by an engineer who builds ASIC firewalls for a living - he thought it was
> a very cool optimization.
>
> When I suggested that they optimize the "deny all" default deny to the
> top of the sequence, because then it'd really scream - it took him a
> couple of seconds to laugh.
>
> mjr.

Although I understand why the auto-optimization would be important,
shouldn't it be intuitive to look up what the rule order is? Maybe
this is inexperience talking but I cannot see optimizing the rule
order on a by-packet or by-host basis. At that point you are left to
either larger subsets of the internet, or a general rule order. Either
way it seems rediculous to not provide an easy to use means of at
least looking up the current rule order.It sounds like the original
poster at least knows his way around firewall software, which should
be enough to rule out user error in any halfway decent design.

I would say that you should at least discuss your problems with the
software and see if your client wants to return it. Having your
firewall expert spend ~45 minutes poking through the interface to
accomplish basic tasks sounds like the beginnings of a downtime
nightmare to me. If it took that long just to get a reasonably
standard configuration going how long will it take to troubleshoot a
complex problem?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards