Interview : Vadim Kurland (Firewall Builder)

# Hello Vadim : could you introduce yourself for the LSM future visitors who do not know you yet ?

I’ve been working in the network operations organizations of several companies in Silicon Valley since 1996. Before that, I was involved in software development and ISP operation. Even when I was in network operations, I always looked for ways to automate things and write software. I participated in many projects in the areas of network monitoring, configuration management and network security.

# How Firewall Builder comes to life ? what was your main motivation ?

at the very beginning, I just needed something to help me configure ipchains on Linux firewalls. This was long time ago, as you can see since it started with ipchains. However later on I realized that I can develop something that could match the quality of the user interface of commercial products such as CheckPoint Firewall-1 and at the same time utilize flexibility and power of OpenSource firewalls such as iptables, PF, ipfilter. So the project evolved into something more complex and more valuable than just another GUI for ipchains.

# Firewall Builder is a cross-firewall tool, so you have to work with differents communities and even proprietary software. Is there a specific way to deal with each of communities ? Do you encounter differences between the proprietary and the open source ones ?

I do not need to interact with developers of the firewalls, such as netfilter team or Cisco developers. I work with people who use them, mostly system or network administrators. I do not feel any difference between working with people who use, say, iptables and PIX. All supported firewall platforms are quite mature, well documented and all I need is understanding of how the firewall works and its configuration language, be it iptables command line or PIX configuration. As long as authors do not make radical changes to their configuration language from version to version, I usually do not have serious problems.

# What is the size of the Firewall Builder project in terms of project members (developpers, Q/A, docs etc) ? As project leader, do you have special wishs about the ways you would like Firewall Builder community to evolve ?

There is only one permanent member, that is me. I receive contributions in the form of patches or even sizeable chunks of code from time to time, which I appreciate very much and try to work closely with authors to integrate them into the project. I sometimes hire outside programmers to do specific projects, pretty much exclusively in the GUI area. I’ve been writing documentation myself so far, although recently I hired professional technical writer to make it better. I would be glad to see more contributions and especially active participation in beta-testing. It would also help if users more actively were involved in writing HOWTOs and other kinds of supporting documentation.

# What are the main lines in which Firewall Builder will develop in the next months/years ?

Next major release, due late summer 2009, will include support for the firewall clusters and QoS. It will also come with integration with popular Linux firewall appliances such as IPCOP, Endian, Secunet Wall and possibly few others.

# Is there a chance to see Firewall Builder as a service for a use through a browser instead of a dedicated desktop program ?

Probably not. This model conflicts with security practices of most users. If Firewall Builder was implemented as a service, this would mean that the user would upload their security policy to the third party web site, which is a bad idea from the security standpoint. Another problem with this model is that it is very hard to implement proper mechanism to transfer generated firewall script to the firewall machine and activate it there if the client is actually a browser. I keep coming back to this idea but I simply do not see how this could be implemented.

# What do you expect from the Firewall Builder talk at the LSM/RMLL event and have you a special wish for the 2009 LSM ?

I am looking forward to this talk as an opportunity to meet existing users and bring new ones to the community. I always want more feedback and more fresh ideas. This is probably the most important part.

# Thank you very much Vadim for the time devoted to this interview :)

Thank you, I appreciate the opportunity to share my vision about the project and communicate with existing and potential users.

Interview made by email by Christophe Brocas, LSM 2009 Systems and Security topic.