Firewall Wizards mailing list archives

Re: Re[2]: [Theory] Time for a new FWTK? (long)

From: Bennett Todd <bet () rahul net>
Date: Wed, 3 Dec 1997 10:12:40 -0800

1997-12-02-17:03:40 Rick Giering:

I'm glad to hear you are at such a place and have the support of your
management. I just hope it stays that way as your management changes
over time (retirements, transfers, promotions, new hires, etc.).

But, please be aware that many organizations (companies, universities,
ISP's, etc.) aren't that way. [...]


Oops! I got so carried away with boasting about my happy estate that
I seem to have mislain the point I was really hoping to make: if your
situation does not have a well-documented security policy, which is
maintained by intelligently weighing risks and costs against benefits,
and is strictly enforced, then you have a problem that doesn't admit of
a technical solution.

Don't sweat firewall technology; if you build yourself the ultimate
firewall, a genuine tour de force, it won't be any better than a
straight piece of wire if you can't configure it to precisely enforce a
security policy.

What I recommend for people found in such conditions is, fix the
conditions or vacate the premises. Last time I was in such a setting,
the root cause was a ``Data Security'' department that had so completely
alienated the rest of the firm that people got into the habit of
assuming that security was stupid and wrong, just because it's
officially designated advocates were invariably stupid and wrong. So,
for example, I couldn't get 'em to track basic important security fixes.
The repair for that situation was terribly, terribly simple: I wrote up
exploits for the bugs in question that were so easy to use that I could
make a horror demo for management. User-friendly burglary scripts. With
a convincing demo of how bad the problem is, all the required management
endorsed the notion of fixing things:-).

If that effort fails, then the next step is to download resume.sty and
get out before the big kaboom. You _don't_ want to be there in an admin
role when the system gets viciously burgled or sabotaged, and if
responsible people refuse to intelligently value security then they're
doomed. You don't want to be doomed with them.

-Bennett

Current thread:

Re: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 01)
- Re: [Theory] Time for a new FWTK? (long) David Collier-Brown (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re: [Theory] Time for a new FWTK? (long) Ted Doty (Dec 03)
- <Possible follow-ups>
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)
  - Re: Re[2]: [Theory] Time for a new FWTK? (long) Bennett Todd (Dec 03)
- Re[2]: [Theory] Time for a new FWTK? (long) Rick_Giering_at_mpg003 (Dec 03)