Firewall Wizards mailing list archives
Re: Policy Free? (was RE: Penetration Tests)
From: Rick Smith <rsmith () visi com>
Date: Wed, 1 Oct 1997 21:46:36 -0500
On Fri, Sep 26, 1997 at 02:36:49PM -0500, Capt Jim Bailey wrote:
I think everyone agrees that having a solid security policy is needed before implementing any feasible security architecture. My question is what does this policy encompass? My question is not directed at the technical details of how to get things done, but more towards the high level that has to be sold to Joe and Jane user, the management, etc. Are you looking at writing a document that states such general things like "don't use the network for unofficial business"? Or do you get more specific like "all web traffic will be proxied and only alowed to the following sites..."
My own humble opinion is that this is the centerpiece of really practical security. I like to tell people that security is a three part balance: enterprise objectives, threats, and the costs of security measures. You balance the three and if the balance allows you to succeed as an enterprise, then you're "secure." However, most people tend to look at security in general and computer security in particular as a concrete objective that defies further definition: we are "secure" if we "pass" our penetration test. Of course, nobody passes such things perfectly, since a good test will find the holes that don't matter as well as those that do. And you can't tell the relevant from the irrelevant unless you know how the holes relate to your operational objectives and the threats against them. The bottom line is that you can't decide how to safely economize on computer security unless you know what you're trying to achieve and how much protection it needs. Now that I've preached to the choir on the benefits of policy, let me repeat a suggestion someone else once made: that security equipment should be built so it works well despite the fact that the customer hasn't put together a security policy. In other words, we should admit that Mom and Pop won't pay anyone to write a policy for their Internet cafe 'n Web site in preparation for installing the firewall. They know what a firewall costs (it's on the price sheet) so they set aside the money and plug the sucker in. One might argue that the firewall is simply forcing the site to adopt a policy as a side effect of configuring it. To some extent this is an issue of creating "mainstream" technical products as opposed to products geared for technology buffs. The buffs will take the time to dink with policy while most folks just want the thing to work. Rick Smith. rsmith () visi com "Internet Cryptography" in bookstores http://www.visi.com/crypto/
Current thread:
- Re: Policy Free? (was RE: Penetration Tests) Rick Smith (Oct 02)