Re: Vulnerability Response (was: BGP TCP RST Attacks)

[George Capehart <capegeo () opengroup org>]

On Wednesday 26 May 2004 06:30 pm, Marcus J. Ranum wrote:

<snip>

> threats and vulnerabilities are, and whack those. That's a really
> useless approach in the long run. I'd guess that a significant number
> of the firewalls I've seen are being used to knock down "well known
> bad things" instead of "only allow a few good things."   I did a talk
> the other day in which I outlined the "old-school" secure firewall
> approach (non-routed networks, proxy everything, default deny, audit
> policy violations) and people in the room were amazed: "None of our
> users would accept that kind of solution!" they cried. Therein lies
> the rub. As long as something so important as security is the tail
> trying to wag the dog, it's not going to go anyplace.

*crawls out from under rock, drags out soap box*

Seems to me this is less a case of security being the tail trying to wag 
the dog as it is a case of users being the tail that actually wags the 
dog.  One must wonder who is running the company.  These are policy 
issues, for crying out loud!  Sounds like it's time to introduce a 
certification and accreditation process into those organizations.  
Doesn't have to be as rigorous as DITSCAP or SP 800-37 . . . just 
something that forces the people in the company who are supposed to be 
managing the risk to do so . . . or formally, in writing, accept the 
risk that they're *not* managing.

My 0.02 $currency_denomination.

Cheers,

George Capehart

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards