Firewall Wizards mailing list archives
RE: Re: Air Gaps vs. Firewalls
From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 04 Oct 2000 14:11:10 -0500
At 11:57 AM 10/4/00, Ryan Russell wrote:
Where something like this would really be fun is in a situation where the firewall admin/security officers/whatever is supposed to approve new web apps. This would actually give them a way to enforce the policy.
Putting the security admin "in the loop" for approving new apps will increase the admin's backlog of things to do, and such people are usually part time, or overworked, or both, already.
In addition, many companies are treating web sites like performances as opposed to engineering artifacts: they're intended to engage visitors and keep them interested. This requires "freshness" that comes from continuous changes.
We need to provide the best security we can without making it take "too long" to revise the site.
One approach is to establish some parameters for "easy" versus "hard" changes to the site. Easy changes they do themselves and the changes "just work." Hard changes take longer and involve the security staff.
I used to have a problem at a previous job with systems administrators attaching new machines to the DMZ, thinking they were going to go live. They could get an address, and figure out which port to plug into on the switch, but they got nowhere until I changed the firewall config. (After completeing the lockdown/review process that was supposed to happen before they got that far, of course.)
That might be an example: modifying pages might be an "easy" change that doesn't involve the security folks, but they can't install new machines unless security gets involved.
Rick. smith () securecomputing com _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
- Log monitoring / alerting Jean Caron (Oct 09)
- RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Air Gaps vs. Firewalls Rick Smith at Secure Computing (Oct 14)
- Re: Air Gaps vs. Firewalls Talisker (Oct 20)