I would say the answer is never. Security is always more important than user friendliness. But, of course, there is the old axiom that if security is too hard to use, people will bypass it, leaving their system really insecure.
I'm having a friendly disagreement with my DH. His software-based personal firewall product lets a user add the following rules, with one click of the mouse on a button having to do with protecting UDP services:
allow log tcp from any to any dst-port 53 in setup
allow udp from any to any dst-port 53 in
allow log tcp from any to any dst-port 67-68 in setup
allow udp from any to any dst-port 67-68 in
allow log tcp from any to any dst-port 123 in setup
allow udp from any to any dst-port 123 in
Why would a personal firewall allow traffic into port 53 (DNS server)? Luckily that port will be closed on most personal computers, but still it seems risky and unnecessary. And why allow traffic into port 67? That's the port used by a DHCP server, not a client. The client uses UDP 68. Allowing traffic into UDP port 123, it turns out, is necessary for NTP to work. Both the client and server use UDP port 123. But the rest of the rules are unnecessary and unsafe, in my opinion. And what's with the TCP rules appearing because I clicked on a button related to UDP?
My DH's answer? Users get confused and complain if you don't allow those ports. Something goes wrong with their firewall or their computer, (or they knock over the cable modem and kick out the power cord, I'm thinking), and they claim that it's because the firewall doesn't allow DHCP and DNS. What kind of pseudo-technical user would say that, I wonder, but my DH stubbornly refuses to agree with me. At least he agrees on other things in our life, like I'll do the dishes if he cooks. :-)
My DH's most important goal with his product is ease of use for non-technical users (as well as pseudo-technical users, it seems), and I can understand that. The usability/security tradeoff is an important consideration, but I think my brilliant husband's brain may be tipping too far into the iFruit mentality. :-) Or maybe he just got sick of the tech support calls like this:
Caller: Is the Internet down?
DH: um, no
Caller: Are your servers having a problem?
DH: um, no
Caller: Well, I think it's your firewall then. I can't get an IP. Your firewall doesn't allow DHCP and DNS.
DH: um, ok, we'll change the firewall software...
Me: hunh?
While I agree that no home machine will have a DHCP or DNS server, it's pretty unlikely it will significantly harm the security of the system. Therefore I wouldn't feel particularly bad about opening those couple of ports, if only so the eventual users get tech support to admit it's their issue.
ReplyDelete-Jeff McJunkin