Firewall Wizards mailing list archives
Re: Re[2]: [Theory] Time for a new FWTK? (long)
From: Bennett Todd <bet () rahul net>
Date: Wed, 3 Dec 1997 10:12:40 -0800
1997-12-02-17:03:40 Rick Giering:
I'm glad to hear you are at such a place and have the support of your management. I just hope it stays that way as your management changes over time (retirements, transfers, promotions, new hires, etc.). But, please be aware that many organizations (companies, universities, ISP's, etc.) aren't that way. [...]
Oops! I got so carried away with boasting about my happy estate that I seem to have mislain the point I was really hoping to make: if your situation does not have a well-documented security policy, which is maintained by intelligently weighing risks and costs against benefits, and is strictly enforced, then you have a problem that doesn't admit of a technical solution. Don't sweat firewall technology; if you build yourself the ultimate firewall, a genuine tour de force, it won't be any better than a straight piece of wire if you can't configure it to precisely enforce a security policy. What I recommend for people found in such conditions is, fix the conditions or vacate the premises. Last time I was in such a setting, the root cause was a ``Data Security'' department that had so completely alienated the rest of the firm that people got into the habit of assuming that security was stupid and wrong, just because it's officially designated advocates were invariably stupid and wrong. So, for example, I couldn't get 'em to track basic important security fixes. The repair for that situation was terribly, terribly simple: I wrote up exploits for the bugs in question that were so easy to use that I could make a horror demo for management. User-friendly burglary scripts. With a convincing demo of how bad the problem is, all the required management endorsed the notion of fixing things:-). If that effort fails, then the next step is to download resume.sty and get out before the big kaboom. You _don't_ want to be there in an admin role when the system gets viciously burgled or sabotaged, and if responsible people refuse to intelligently value security then they're doomed. You don't want to be doomed with them. -Bennett
Current thread:
- Re: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 01)
- Re: [Theory] Time for a new FWTK? (long) David Collier-Brown (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Ted Doty (Dec 03)
- <Possible follow-ups>
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)
- Re: Re[2]: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)