Security Basics mailing list archives
Re: Re: securing a segment of a network
From: Bovril1a () netscape securityfocus com, net () www3 securityfocus com
Date: Mon, 8 Mar 2010 08:14:32 -0700
Unless you are in a high security environment the requirement from your auditors is an excellent example of why auditors do not and never ever should run systems....... Based on the caveat above, the issue has probably nothing to do with network segregation or segmentation and everything to do with effective permissionings. First we strip the perceived issue Before you EVER accept an audit finding it needs to meet a basic "Rule of 4" The finding has to be TRUTHFUL, it is a real thing, not supposition, belief or prejudice from a checklist The finding has to be VERIFIABLE, it has be capable of demonstration, measurable, a log, a process a real thing. The finding has to be REPRODUCIBLE, it has to be capable of being show, it is an actual ongoing issue. "On Tuesday we saw a server lose it's network connection" is NOT a finding it's operational support. "Every Friday at 8:00pm connection to the satellite office drops" IS a finding Lastly, the finding has to ADD VALUE. That add value may be to address an internal or external policy or regulatory requirement, if not remediated, private data can be compromised, the financial exposure is XXXXXXX USD/GBP. Without all 4 rules in place this is not a finding, it is suppostion and a wishlist. I bet dollars to donuts that wasn't applied when this finding came up. Now to the issue itself. I am willing to believe the issue was actually about potential inappropriate access to system resources such as applicatiions, shares and/or privileges. Splitting the network does not address this in any way, at best it camouflages the actual risk. The only other time the issue MAY have some credibility is for example, if you are directly managing equipment in the dirty side of a DMZ directly from your internal network.... Return to the ACTUAL risk, what it consists of and what logical controls need to be implemnetd to cover the risk as well as be practically supported. At the moment you are one audit away from being hauled over the coals for implementing a "solution" that actually increases the organizations operational risk....... ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: securing a segment of a network, (continued)
- Re: securing a segment of a network Pierre Jaury (Mar 04)
- Re: securing a segment of a network Kurt Buff (Mar 04)
- Re: securing a segment of a network Curtis Duck (Mar 04)
- RE: securing a segment of a network Malick Sy (Mar 04)
- Re: securing a segment of a network Pablo Sanz Mercado (Mar 04)
- Re: securing a segment of a network John Morrison (Mar 04)
- Re: securing a segment of a network dwg5901 (Mar 04)
- Re: securing a segment of a network Adam Pal (Mar 08)
- Re: securing a segment of a network Roger D Vargas (Mar 08)
- Re: securing a segment of a network Adam Pal (Mar 08)
- Re: securing a segment of a network Roger D Vargas (Mar 08)
- Re: Re: securing a segment of a network Bovril1a (Mar 08)
- Re: securing a segment of a network krymson (Mar 09)