Firewall Wizards mailing list archives
Re: Vulnerability Response (was: BGP TCP RST Attacks)
From: George Capehart <capegeo () opengroup org>
Date: Thu, 27 May 2004 17:58:06 -0400
On Wednesday 26 May 2004 06:30 pm, Marcus J. Ranum wrote: <snip>
threats and vulnerabilities are, and whack those. That's a really useless approach in the long run. I'd guess that a significant number of the firewalls I've seen are being used to knock down "well known bad things" instead of "only allow a few good things." I did a talk the other day in which I outlined the "old-school" secure firewall approach (non-routed networks, proxy everything, default deny, audit policy violations) and people in the room were amazed: "None of our users would accept that kind of solution!" they cried. Therein lies the rub. As long as something so important as security is the tail trying to wag the dog, it's not going to go anyplace.
*crawls out from under rock, drags out soap box* Seems to me this is less a case of security being the tail trying to wag the dog as it is a case of users being the tail that actually wags the dog. One must wonder who is running the company. These are policy issues, for crying out loud! Sounds like it's time to introduce a certification and accreditation process into those organizations. Doesn't have to be as rigorous as DITSCAP or SP 800-37 . . . just something that forces the people in the company who are supposed to be managing the risk to do so . . . or formally, in writing, accept the risk that they're *not* managing. My 0.02 $currency_denomination. Cheers, George Capehart _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Frederick M Avolio (Jun 01)
- <Possible follow-ups>
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)