Re: PCI DSS & Firewalls

[Bill McGee <bam () cisco com>]

Yikes!

Wouldn¹t it be nice if we all lived in Marcus¹ world? Perhaps we ought to
just mandate that everyone scrap their current networks and have Mr. Ranum
come in and redesign them from the ground up. We would clearly end this
issue of security breaches once and for all.

In the meantime, we really ought to be helping folks move from WHERE THEY
ARE to WHERE THEY NEED TO BE, even if it¹s in incremental baby steps, based
on ability, budget, and sensitivity to risk. This is the world that Chris
and I live in, and until Marcus¹ parallel universe overtakes our own, this
is the battle we all must fight.

Is that a nod for mediocrity? Hardly. The reality is that, incompetent or
not, many IT managers are doing the best they can with what they have, with
real constraints on what they can do next, and need our help within that
context. Short of a Ranum dictatorship, we really need to recognize that
wide-eyed idealism, however well-intentioned, is never a reasonable
replacement for dealing with the vagaries of the reality we actually
inhabit.

-bill


On 4/3/09 8:31 AM, "Chris Blask" <chris () blask org> wrote:

> Marcus J. Ranum <mjr () ranum com>, Friday, April 3, 2009 9:06:53 AM
>
> > >  Chris - you're better than this. Stop being an apologist for
> > >  mediocrity.
>
>
> I wouldn't put it that way myself, but I also wouldn't argue the fine points
> of the definition.  We live in a world of varying perfection and - while it is
> a wonderful thing to effect perfection where possible - it falls on us to
> devise solutions that also have a positive impact on mediocrity and even,
> where possible, function in the presence of incompetence.  It wouldn't be
> defensible for me to take this position unless there were others out there
> railing for perfection, but we're never short of such voices in our field.
>
> > >  All of us understand that you can do a half-assed job, or that
> > >  you can throw up your hands and say "things suck but I'll do the
> > >  best that I can in the circumstances."  We all know that. But
> > >  please don't adopt defeatism as policy.
>
>
> I leave it for others to judge, but I would hope that accepting defeatism is
> not a descriptive that would apply to me.  Rather,  I would say that I accept
> situations the way they are when I show up and do what I can to improve them.
> Whether it is accurate to say that a given situation sucks is a qualitative
> judgement that really requires a great deal of insight into the back story
> regarding how it got to the current state, and whether through lack of
> patience or attention span (I embrace my ADD) I only care about the past as it
> applies to the options for the future.
>
> Sure I often find myself in the position to be accused of 'defending
> mediocrity', but it's not in the context of giving up and accepting defeat.
> It's just the only way I know to limit the options I focus on to the ones that
> could actually appear in the real world.
>
> -chris
>
>
>       
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards