Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Fri, 11 Apr 2003 10:51:51 -0400
OK, several people have lamented on the state of coding, especially related to the security industry. Lots of good comments have passed over my T1 but I think a simple point has been missed. Where's the pain? MS seems to be the example of the week so I'll continue that but this applies to just about any vendor. A basic assumption in this email is: better code, better testing, implies larger cost. MS IIS has bugs, bugs are reported in the industry news, bugs get fixed. The issue is the pain of the fixes /break-ins vs. the retraining/retooling/"better tool" costs weighted by the chance of an incident, all tempered by the politics. Ahhh, what politics you say, politics in a technical environment, tsk, tsk (yeah, right). Assume I'm a Microsoft oriented admin and I do NOT want to learn Unix (or the other way around). First line of defense when questioned (IF questioned) by management, we stay on top of the patches and update regularly. Second line of defense, hey, the Unix side has bugs too, see this list from CERT. Third line of defense, Unix admins cost more and the boxes are harder to admin because MS has a better GUI. (Hey, no one said politics was a clean game.) So, one issue is political statements as technical gospel from the 'techies'. Hell the typical CEO understands the MBAs better than he/she understands the IT guys. Other issues include: How many CEOs have lost their job due to an Internet break-in? How many companies have gone out of business due to a bad security tool choice (or any other software bugs)? How well known is the reason for their demise in their community (not ours)? What number would the typical CEO choose if asked: "How many Internet break in attempts occur at your company every year?" How many techies have said, "we need X or the sky will fall" yet the sun came up in the morning? How many break-in stats are publically available and what is their confidence level? How many break-in COST stats are publically available and what is their confidence level? What is the perception of the failure? Credit cards where stolen from a CC processing company, is the perception the firewall failed, the web server failed, a human didn't patch, or the company had a screwed CC storage policy? So basically, WHERE IS THE PAIN? Better coded/tested toys cost more money to bring to market, probably implies more dollars at retail. On-going real daily security at the interface level costs dollars every year for training, bodies, and tools, where's the CEO level justification? Hey, we might get broken into, and the cost of clean-up that no one believes might be high. Of course, I can't tell you what the chance of a break-in is because I have no REAL data. Nor can I give you a good delta on the chance of approach 1, vs. approach 2 because I have no data. But I CAN tell you, or you can read in the news, that "Spiffy tool X" is the market leader. Sure I CAN say that IIS has had more bugs reported than "Competitor A". I probably can cost estimate the expense of a switch to the "Competitor A" product. I CAN'T say that by spending those X dollars I've decreased the chance of a break-in by 10% using any HARD data. Oh, and even if I could, I can't say what the original chance of a break-in at this company is BEFORE I reduced it by 10%. Did we go from 40% to 36% or from 1% to .9%. To the average CEO/COO/CTO the cost of security vs. the value is STILL black magic. Some of us have been around the block, some people work in the industry, we have a good feel for 'worth', but the average guy doesn't necessarily have either event in his favor. With a clue you can make an educated coin flip type choice when you first buy. Product A's rep sucks, Vendor B isn't thought well of in the industry, Vendor C is about to go under, Product Q has no milage yet and is an unknown. With connections or other info you can do even better. Hey, I've swapped email with the lead guy at Vendor X and I know he has a clue. But sometimes post commitment gets difficult to judge. I already own N copies of firewall software 'Q', I can replace them with appliance X at only N thousand dollars each, plus training. Is that REALLY a good deal? How much have I really reduced my risk? How much have I reduced/increased my operational costs? Is it worth it, especially if I've never been broken into before? Should I fix/change the firewall, the web server, the staff training policy, the data retention, where do I apply my $$$ to fix 'the problem', what does the industry data tell me? (i.e. is it software, humans, or process, will changing the software really be worth it?) So SHOW ME THE DATA, Hell find a way to SHOW EVERYONE THE DATA, make it clear data and MAYBE we can all be close to the same page on cost vs. security, vs. software quality. Some break-ins are attributed to a firewall failure, some to a web server bug, many to a failure to patch, many to configuration issues, some to busted process/stupid human tricks. Right now, given industry news coverage (the main data source for many executives), most execs would bet on human/process issues as the biggest threat, not software reliability. My guess is 'the pain' CEOs see is the human, NOT the software reliability. Companys spend money to fix problems, i.e., reduce pain. Better software is good at initial buy in, better software as a switch implies retraining the 'weak link' and accepting the pain curve again, justification is more difficult. Ah well, I was due for a rant, I apologize for my targeting skills :-). Oh and before the counter rants start. I'm not for or against MS products, I like stuff that works regardless of vendor, they were an example only. I'm a CTO, in theory that's the O with a technical clue. I DO understand that more reliable software or switches to more idiot proof user interfaces can help reduce breakins, I'm one of the ones that's been around the block. I'm not stating that switching is not a good thing, I'm saying that CEOs don't like to toss out investments and training and that some of the 'better' is subjective and hard to quantify in real dollars while the current investment is easy to quantify. Fortunately my CEO thinks I have a clue and is usually willing to listen to reason :-). OK, fire away. -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole Crispin Cowan (Apr 10)
- Re: tunnel vs open a hole Gary Flynn (Apr 11)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 11)
- Re: tunnel vs open a hole Steven M. Bellovin (Apr 11)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Crispin Cowan (Apr 11)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 15)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 15)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 15)
- RE: tunnel vs open a hole David Lang (Apr 15)
- Re: tunnel vs open a hole Julian Gomez (Apr 16)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 16)