Firewall Wizards mailing list archives
Re: Security Policy
From: Bennett Todd <bet () rahul net>
Date: Fri, 24 Oct 1997 04:18:23 -0700
On Thu, Oct 23, 1997 at 08:35:58AM -0400, McKenna, Joe wrote:
For the most part, I agree that the security policy should be the same for the firewall and the rest of the organization. [...]
Oops --- I think we're talking past one and other here. From that statement (and the ones below as well) I'm pretty sure you're saying ``security policy'' and referring to ``security implementation''. Security _policy_ is a statement of the organization's security goals and requirements. It is common to all systems; in fact it doesn't need to mention systems. Different systems have different uses, and different exposures to risk, and so will require different sorts of security _implementation_ to address the relevant requirements of the security _policy_.
[...] But, there are policies that are mandatory in a firewall might be a hard sell for the rest of the organization. [...]
Say instead that that the firewall, being directly exposed to the internet, requires security restrictions that aren't needed on interior machines, to meet your organization's security policy. This is the common state of affairs, and to a degree it's usually appropriate. It's still important to remember that the firewall doesn't keep out physical intruders, malicious insiders, people who succeed in exploiting inappropriate modem hookups on desktops, people who succeed in burgling sendwhales by remote control, etc., etc. There is a lot that can be done on the inside net to fix security problems without any visible implact on legitimate users, and it's important to do that.
[...], but implementing this on an HR system with hundreds of users can be a management nightmare. So people take the easy way out by using login name and password and hope others won't probe and snoop.
I doubt many organizations use authentication tokens for internal logins; userid/passwd are still the norm in that setting.
The policy can be stated, but enforcing it is another matter.
If enforcing it is another matter, then the security admin has some work they have to do. From your earlier comments I suspect there isn't a proper security _policy_ at all. The security policy needs to lay out the organization's security requirements; these are generally driven by system availability, data integrity, and data confidentiality. These will vary from department to department, and sometimes even within a single department. Such a statement can have the assistance of a security admin, to help make sure it's complete, sufficiently detailed to determine the security implementation, and not too expensive too implement. But whether or not the security admin helps, the security policy gains the authority it must have from the senior management that sponsors it. The security policy is the basis for enforcement of the security implementation. With a well-designed policy, properly endorsed and supported by senior management, and a well-crafted security implementation that supports the security policy with the irreduceable minimum of inconvenience to users, there's no problem with enforcement, none at all. People who are breaking the security implementation are directly failing to support the organization's needs as expressed in the security policy. -Bennett
Current thread:
- Re: Security Policy, (continued)
- Re: Security Policy Damir Rajnovic (Oct 22)
- Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
- Re: Security Policy Bennett Todd (Oct 24)
- Re: Security Policy Damir Rajnovic (Oct 22)