Re: PCI DSS & Firewalls

[Chris Blask <chris () blask org>]

Hi Jim,

Jim Seymour <jseymour () linxnet com>, Monday, April 6, 2009 9:25:55 AM
> Bill McGee <bam () cisco com> wrote:


.d.
> It'd be a damn sight nicer than living in the world in which we
> currently find ourselves, where, due to vendor irresponsibility and
> end-user cluelessness (encouraged by said vendors, IMO), the concept of
> "network security" has become a joke.


Responsibility and cluelessness are not things that I will go out of my way to let anyone off for, but the subtext 
"encouraged by said vendors, IMO" I have to poke a stick at.  Maybe there rally are some evil crafty cunning and 
skilled vendors out there who are manipulating all of this over Beluga caviar, Havana cigars, monocoles and really evil 
laughs, but my experience working at these vendors is that any vendor culpability is much more rooted in the standard 
SNAFU background radiation that underlies human endeavor.  To achieve the foundation for endemicly secure design, 
engineering, impelementation and operation of one (1) Global Internet (with "Attached Private Networks" option!) is 
really really really hard and would require a great deal of effort and resource which has (a) not been spent, (b) won't 
be spent for a lot of boringly pedantic reasons and (c) would probably be SNAFUed by reality (Bobby Shaftoe would put 
it more colorfully) and not work,
 anyway.

.d.
> What Marcus is promoting isn't "wide-eyed idealism," it's reality.
> That reality being there's no such thing as "kind of secure."  It's either
> secure or it's not.  You, and those who believe, or purport to
> believe, as you do are promoting "good enough."  Well, half-way
> measures are *not* "good enough," *never* have been "good enough" and
> never *will* be "good enough."

I have to disagree.  There is very much a "kind of secure" and there is by no means any such thing as "secure".  
"Security" is a mirage - our Fiddlers' Green - to be approached indefinitely but never arrived at.  The question is 
never "how would you like your system secured from all potential intruders?" but rather "how much resource are you 
willing to spend increasing your system's security from where it is at the moment?"  Your network is secure as (for 
example) your ability to resist Van Eck Phreaking of your users' monitors, keep them from coming in with pinhole 
cameras in their shirts to tape everything on their screens, and lock down their brains.

As always, I am not saying that it is not worthwhile and effective to fight the good fight nor that any of us should 
take our responsiblities lightly - it is and we should.  But this is the same old purist vs. pragmatist argument and 
nothing has ever changed to make me think there is any pure solution to be had.  Even the very best Underground 
Black-Ops Government Datacenter will only incrementally creep closer to being all-caps "secure" and the rest of us will 
continue to live in a world that is somewhere short of that.

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards