# Does Ease of Use Make for Bad Security?

Something I've been wondering for a while, has the proliferation of
web-based and GUI firewall or security appliance interfaces over the
past few years been helpful as far as enabling network security
administrators? Take as examples Check Point's policy editor,
[Fwbuilder][1], or [m0n0wall][2]. All make administering firewalls
pretty easy at this point. But do they really help administrators
learn their craft? Is it too easy to administer a firewall or
security appliance these days?

While that sounds like an odd question (easy is good, right?), what
if the ease of these products enables a false sense of security in
their less experienced users?  To put it another way, does the
"security black box" that many of these appliances have become
contribute to security blunders?

This may be just another variant of the "I walked uphill to school
in two-feet of snow every day when I was a kid...", but I learned
firewall administration and networking by digging into low-level
stuff. Hand-editing firewall rulesets (Linux ipfwadm back then),
dissecting pcap traces and syslog output, sometimes staring at
driver code to figure out what an obscure error meant, and generally
fixing problems by trial-and-error.

Through this process, I learned a lot about how the security
mechanisms I was using worked under the hood. This has helped me
quite a bit over the years when confronted with an odd problem
hidden by a convenient interface. Other people I know had the same
experiences fiddling with router ACL's, but the result was the same,
their low-level experiences helped them be a better
administrator.

This reminds me of the Joel on Software article on [The Perils of
Java Schools][3], where he says that Java is not a "hard" enough
programming language to distinguish great and mediocre
programmers.

Similarly, perhaps experience with the latest black-box appliance is
not a good indicator of skill in security administration. Does this
matter anymore? Can you take someone fresh out of a CS program and
plop them in front of a Check Point firewall, with a CD of PDF
manuals, and expect them to create a coherent and effective security
policy?  I don't think so. Good security is still too hard - some of
the most egregious security mistakes I've seen come from
inexperienced admins using tools meant to make security "easy". If
anything, these tools encourage the hiring of inexperienced security
staff. While true that everyone makes mistakes, I think it's just a
matter of degree in this case.

One example I've seen plenty of over the years in various forms is
allowing bi-directional traffic flow between hosts or networks, when
only one direction is needed. This usually is evident in rules like
"Allow all TCP traffic on ports 1025-65535 to and from these two
hosts", or "We have to allow the replies from our ISP's DNS server,
so open up all traffic into our network with a source port of UDP
53". This stems from a lack of understanding of how stateful
firewalls track connections, and only a basic understanding of how
the underlying protocols work. But it opens up avenues of attack
that would not have otherwise been present.

[1]: https://web.archive.org/web/20080309204147/http://www.fwbuilder.org/
[2]: https://web.archive.org/web/20080213040201/http://m0n0.ch/wall/
[3]: http://www.joelonsoftware.com/articles/ThePerilsofJavaSchools.html
.