Re: Best Practices

[Gwendolynn ferch Elydyr <gwen () reptiles org>]

On Wed, 19 May 2004, Dana Nowell wrote:

Starting from the bottom ;> Yes, it's clearer *grin*

I've snipped much of what you've written, and ended up addressing this as
"you/your". It's intended as a convenience, not an irritation ;>

To summarize, you'd like to:

   (1)  Create a list of minimum best practices for computer security
   (2)  Create more targeted lists for specfic markets/audiences
   (3)  Spread this throughout the security community, and beyond

Next you ask if it's possible to come up with a list that everybody
can agree on, looking specifically at the business space, rather than
the home user [which is another discussion in some, but not all ways].

Your lists starts with:

Least priviledge - I'd tend to bundle segmentation/compartmentalization,
        as well as reduced connections here, since those are really about
        providing the least priviledge.  I'll certainly grant that they
        should be broken out for the sake of clarity within the least
        priviledge bundle ;>

Passwords/Accounts - Hrm. This isn't actually what I'd want to use as
        a meta-concept.

        What you're trying to establish is that a given action was taken
        by a given, identifiable entity. I think that I'd be inclined to
        use something more like "Proveable identity".  Take a look at AAA,
        which nicely describes the same general concepts.  Authentication
        [who is it?], Authorization [what can they do?], Accounting [what
        did they do?]

You skim, but don't really catch on to some of the ones that I consider
to be absolutely major - Risk Analysis and Policy.

In order to build any form of successful security infrastructure, you
need to know what you're protecting - and against what dangers you're
protecting it.  Risk analysis gives you that basic data.

Policy then describes how much you care, and what the basic constraints
for your infrastructure will be.

> If we concentrate on just the generic small business segment, I'd bet we
> can create list 'Foo SB'.  As we do the other segments we get lists 'Foo
> LB' and 'Foo Asset'.  Now I picked SB, LB, and asset, I'm not married to
> that specific split, just some agreed segmentation of the space.

IMHO, best practices aren't as much about giving people specific lists
about what to do - one of my ongoing issues with many of the books that
are published in the security field is the 'recipe' approach - as they
are about helping people to understand basic concepts that lead to good
security.

Following a list blindly doesn't indicate understanding of 'why', as
much as being able to type in 'how' - and we've all seen what happens
when [to go back to a different thread] people believe that there's a
technical panacea for non-technical issues. [0]

> What I'm suggesting, if extended out to a ridiculous extent, is similar to
> the RFC concept or the ANSI standard concept but for Internet connected
> network security.  I doubt we can get that far, but a similar process might
> be useful. (NOTE: I have no actual process in mind, this is a straw man at
> best)

Er. The RFC concept is interesting, but in general tends to be very good
for issues that are readily quantifiable such as protocols, and not nearly
as good for policy issues [which are subject to debate at the best of
times *grin*].

I think what we're talking about here is more of a highly accessible
'plain english' description of best practices than the labrynthine and
precise world of ANSI and IETF specifications ;>  Correct me if I'm
mistaken about your intent, though ;>

> The obvious issue is: it is a hard problem.  Networks are diverse, can we
> find sufficient commonality?  Information gets quickly dated if specific so
> we need general prinicpals not 'install a firewall here' stuff.  General
> principals may be too general to be useful and the specific information is
> too dated, so can we draw the correct line, is it even possible?

IMHO it's about teaching people why it's an important problem, and how
they can think about the problem, with general guidelines in their
particular environment.

> Whether this is viable or not, we need a plan to broaden the discussion and
> build a public base of knowledge that can be extended.  Specific
> discussions about network X in context Y are useful, but by definition,
> frequently too specific to extend knowledge broadly to other contexts.
> This list has to a large extent become more tactical than strategic (I
> have/posit problem X in Context Y, let's discuss is the general thread,
> IMO).  As wizards I propose we let the apprentices deal with the tactical
> and we deal with the strategic or at a minimum we try for a mix of some
> strategic with the tactical.  Why, because today's tactical is next month's
> garbage as threats mutate but hopefully there are some basic strategic
> principals that have longer lives (which I THINK is where the original
> discussion needed to be broadened).

Well - in theory this list started out as a complement to the more basic
firewalls list, which consisted largely of "how do I do this" questions.

... but the firewalls list isn't active any longer, and people will find
places to ask their questions ;>

cheers!
[0] "I have a firewall, so my company must be safe"
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards