RE: Ok, so now we have a firewall, we're safe, right?

["Bill McGee (bam)" <bam () cisco com>]

This is a classic "perfect world" versus "real world" scenario. I think
Chris Blask nailed it on the head earlier when he said we have to
acknowledge (and live with) the limitations of what we have while
working to build something better. That's a challenge to be taken
individually AND as a collective.

Generally, I preach risk management rather than hard-line security,
because it is language that upper management tends to understand (even
better than ridicule and abuse, plus you tend to not get fired as often
;-)). Maximum risk reduction is always going to be a moving target, but
any reasonable security policy is based on a plan-build-analyze-improve
model that even the most curmudgeonly executives can buy into. 

The biggest challenge is that we have to live with the tools (and
budgets) we have, so a holistic approach is always going to be better
than the more common approach of over-investing/over-relying on a single
box with the latest gee-whiz features. This has probably contributed to
more problems than just about anything else, IMO.

Rather than praying/whining/demanding for folks in the security industry
to "get it right," we need to start now by putting (or, in many cases,
simply turning on!) security everywhere (endpoints, gateways, servers,
appliances, routers, switches, what-have-you), get these bits-and-pieces
talking to each other whenever and wherever we can, and at the same time
ensure that our Moms can still download pictures of their grandkids
without having to call us for tech support (I, for one, would REALLY
appreciate that!) 

-bill

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Mark
Tinberg
Sent: Wednesday, June 01, 2005 11:17 AM
To: Marcus J. Ranum
Cc: Paul D. Robertson; Fritz Ames; Ben Nagy;
firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 31 May 2005, Marcus J. Ranum wrote:

> They're sensitive to ridicule and abuse. They're impervious
> to clues.

While I appreciate the sentiment, I don't think that approach will work 
for everyone.  Not everyone is curmudgeonly enough or has the cojones to

enter into an adversarial relationship with their superiors.  I don't
want 
that kind of stress and tension in my life, at my work, putting out
fires 
is less stressful for me.

I'm lucky that my bosses are largely intelligent people with whom I can 
discuss problems and often-times come to a better solution than what I
had 
originally proposed.  Sometimes we disagree, and my bosses are wrong
8^), 
but part of my job is that when a decision is made above my pay-grade,
to 
do what I'm told.  I suppose I could quit every other month when
something 
doesn't go my way, like a petulant child, but that doesn't seem
productive 
to me.

At least that's how I see it.  I know that some people will and some
won't 
understand where I'm coming from, but I thought the statement should be 
made, as an FYI, not so much as a discussion.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFCne1wFu7F5OUjbGcRAtooAJ0bjK4/4fLMwwFFjgObl6wv5uFBlwCgyIDb
JhaSOj0FKAhIi/ngzfk9lr8=
=te14
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards