The real issue with the interface-based approach is in more complex
networks. The user has to move from one tab to another, representing
rules associated with a particular interface, in order to modify
multiple rules associated with a particular application.
For example, if a user has an application that receives a connection
from the outside to an internal server on a different interface and
that application server then has to establish a separate related
connection to another DMZ, rules will be required on the internet
interface and on the interfaces of other DMZs. To enter these rules,
the administrator will have to move from one tab to another and
cannot see all the associated rules in the same context. While some
users are well-disposed to understanding the concepts and making
changes in each “tab”, other users require a complete visualization
of the project. Seeing all of the related rules together makes
construction of the rules easier since the user can then “trace” the
application activity by studying each rule while entering another.
The argument below is more of a technical one and not a usability
one. If there is enough interest, I am happy to prototype one. I am
sure that a combination of filters, sorting and grouping can provide
an extraordinarily useable interface.
Park
On Jun 1, 2006, at 5:34 PM, Randy B wrote:
Being a typical netizen and wanting to chime in my $0.02...
Out of curiosity's sake, where did this come from? Are you
approaching from a UI design methodology, or are you a network
designer, or...? Some background might help the engineers (who speak
machine better than meatspace) understand precisely what your intent
is and where you're coming from.
I'm a full-time professional admin/engineer for a herd of ~100
hardware firewall pairs and a 15,000 user VPN, in addition to using
pfSense in a [relatively] complex setup at home - LAN, WAN, bridged
DMZ, and RF DMZ. I've also been using raw iptables in Linux for
several years, and I can't imagine a viable case for non
interface-based rules. I've been wrong more times than most, but...
The only edge case that comes close for me is a bridged setup (n LAN,
n WAN), in which case I would treat the bridge as a whole, but that's
still interface focused.
What's this "ISA server", and what is it similar to? Seriously - I've
heard of a Raptor (IBM windows-based firewall), but not an ISA server.
Does anything (other than design tools like SolSoft) really present
this kind of interface?
RB
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
