Firewall Wizards mailing list archives
Re: Best Practices
From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Fri, 21 May 2004 13:33:19 -0400 (EDT)
On Wed, 19 May 2004, Dana Nowell wrote: Starting from the bottom ;> Yes, it's clearer *grin* I've snipped much of what you've written, and ended up addressing this as "you/your". It's intended as a convenience, not an irritation ;> To summarize, you'd like to: (1) Create a list of minimum best practices for computer security (2) Create more targeted lists for specfic markets/audiences (3) Spread this throughout the security community, and beyond Next you ask if it's possible to come up with a list that everybody can agree on, looking specifically at the business space, rather than the home user [which is another discussion in some, but not all ways]. Your lists starts with: Least priviledge - I'd tend to bundle segmentation/compartmentalization, as well as reduced connections here, since those are really about providing the least priviledge. I'll certainly grant that they should be broken out for the sake of clarity within the least priviledge bundle ;> Passwords/Accounts - Hrm. This isn't actually what I'd want to use as a meta-concept. What you're trying to establish is that a given action was taken by a given, identifiable entity. I think that I'd be inclined to use something more like "Proveable identity". Take a look at AAA, which nicely describes the same general concepts. Authentication [who is it?], Authorization [what can they do?], Accounting [what did they do?] You skim, but don't really catch on to some of the ones that I consider to be absolutely major - Risk Analysis and Policy. In order to build any form of successful security infrastructure, you need to know what you're protecting - and against what dangers you're protecting it. Risk analysis gives you that basic data. Policy then describes how much you care, and what the basic constraints for your infrastructure will be.
If we concentrate on just the generic small business segment, I'd bet we can create list 'Foo SB'. As we do the other segments we get lists 'Foo LB' and 'Foo Asset'. Now I picked SB, LB, and asset, I'm not married to that specific split, just some agreed segmentation of the space.
IMHO, best practices aren't as much about giving people specific lists about what to do - one of my ongoing issues with many of the books that are published in the security field is the 'recipe' approach - as they are about helping people to understand basic concepts that lead to good security. Following a list blindly doesn't indicate understanding of 'why', as much as being able to type in 'how' - and we've all seen what happens when [to go back to a different thread] people believe that there's a technical panacea for non-technical issues. [0]
What I'm suggesting, if extended out to a ridiculous extent, is similar to the RFC concept or the ANSI standard concept but for Internet connected network security. I doubt we can get that far, but a similar process might be useful. (NOTE: I have no actual process in mind, this is a straw man at best)
Er. The RFC concept is interesting, but in general tends to be very good for issues that are readily quantifiable such as protocols, and not nearly as good for policy issues [which are subject to debate at the best of times *grin*]. I think what we're talking about here is more of a highly accessible 'plain english' description of best practices than the labrynthine and precise world of ANSI and IETF specifications ;> Correct me if I'm mistaken about your intent, though ;>
The obvious issue is: it is a hard problem. Networks are diverse, can we find sufficient commonality? Information gets quickly dated if specific so we need general prinicpals not 'install a firewall here' stuff. General principals may be too general to be useful and the specific information is too dated, so can we draw the correct line, is it even possible?
IMHO it's about teaching people why it's an important problem, and how they can think about the problem, with general guidelines in their particular environment.
Whether this is viable or not, we need a plan to broaden the discussion and build a public base of knowledge that can be extended. Specific discussions about network X in context Y are useful, but by definition, frequently too specific to extend knowledge broadly to other contexts. This list has to a large extent become more tactical than strategic (I have/posit problem X in Context Y, let's discuss is the general thread, IMO). As wizards I propose we let the apprentices deal with the tactical and we deal with the strategic or at a minimum we try for a mix of some strategic with the tactical. Why, because today's tactical is next month's garbage as threats mutate but hopefully there are some basic strategic principals that have longer lives (which I THINK is where the original discussion needed to be broadened).
Well - in theory this list started out as a complement to the more basic firewalls list, which consisted largely of "how do I do this" questions. ... but the firewalls list isn't active any longer, and people will find places to ask their questions ;> cheers! [0] "I have a firewall, so my company must be safe" ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)