Re: newbee to firewalls

[Steve George <stevege () i-way net uk>]

Hmm,

I'd say the first question is 'Is the client serious about security?', often initally a company is not serious about 
security, they are just trying to satisfy 'due diligence'.  If they are not you have to try and assess the risk'what 
assets do they have, how likely are they to be attacked, is the cost of protection higher than the asset worth' and you 
may have to convince the influencers that there is risk.  So the first step is risk assessment often in conjunction 
with education.

> From there you move onwards to the planning of the system.  What are we trying to protect, what features does the 
> client want (this may or may-not have anything to do with the system you plan but is important) and what are the 
> aims/budget.  In other words you detail the scope of the system, what it will do and how, and more importantly what it 
> WON'T do: that way no-one is confused about the limits.  The client has to agree/negotiate with this.

Then you're into the actual plan of each element and how they will interact.  This specifies how each element acts and 
clarifies how the sections interact.  For example how does the virus protection interact with the firewall etc.  Often 
this clarifies muddly water or twists you didn't forsee: often the client says comes up with some wrinkle they didn't 
think was 'important' at the time.  Then you implement the system.

Finally, you are into the continued growth and evolvement of the system.  The business environment changes so the 
client requires VPN's hence you have to manage the changes with them: give them the important things and be firm about 
the dangerous ones - eventually it is their decision.  This is the hard part because it is easy to say NO but 
businesses don't function because of security, it's a support function.

Personally, I think the management side is the hardest.  You can learn all you are likely to need technically from some 
books, some experimentation and a lot of thought.  But the people issues are just something you discover as you go 
along (like trying to find the light-switch in a dark unfamiliar room).

If this isn't going to be a permanent job you might consider trying to learn enough to be able to ask the right 
questions of someone for whom it is a full time job.  The ability to hire the right people for specialist work is, I 
think, a rare skill in itself.

Good luck,

Steve

On Fri, Jul 30, 1999 at 01:24:27PM -0400, RAYMOUR () aol com wrote:
> The company I work for have assigned me the task of learning Internet 
> Security/Firewalls. I have been surfing for info and have found alot of 
> information. Also I have ordered a couple for books "Building Internet 
> Firewalls" and "Firewalls and Internet Security" which have been mentioned at 
> this site. My problem is that I was given this assignment Monday July 26 and 
> I'm suppose to be have some questions on what is needed to start this process.
> Can anyone help me out on what kinds of questions I should be asking to start 
> the process rolling?
> I know I need to "READ" "READ" "READ".

-- 
"Hacker, terrorist, pornographer, drug trafficker," 
"That's it -- the four horsemen of the Apocalypse." 
 J.Granick referring to the US publics fears.