Firewall Wizards mailing list archives
Re: Policy and administration was Re: Firewall administration.
From: Ted Doty <ted () iss net>
Date: Mon, 13 Oct 1997 08:29:37 -0400
At 05:44 PM 10/12/97 -0400, Mark Teicher wrote:
Based on your comments below, you are stating that depending on the firewall/internet/security solution a particular corporation,organization, selects, then that also depends on staffing requirements, design of security policies, network architecture, security matrices and event escalation..
Actually, I don't think that this is quite true. I agree with Bennett that many firewall implementations can be relatively simple. I do think that the overall process of ensuring that your security is working applies to both large and small organizations. Anything that a large organization does to maintain their posture should also be done by small ones, allbeit on a small scale.
So what is your ideal solution then based upon those criteria??
Ted's list of what every organization needs:
1. A simple statement of policy.
2. A mapping of implementation into policy, hopefully with contradictions
resolved ("FTP is bad, but Web is OK").
3. Periodic tests to show that the security posture isn't changing due to:
a. Changes in the firewall config
b. changes in the firewall code (updates)
c. changes in the attacks used on the net (e.g. persistant attacks
from a particular source)
In Fortune-500 speak, #1 is the domain of Management, #2 is the domain of
MIS, and #3 is the domain of the auditors. Commonality is provided by the
security officer. There's actually a good reason that different people do
the audit, for the same reason we have different people test our code -
it's too easy to say "Oh yeah, I knew that."
I don't see why a small company doesn't need this, too. Nothing has to be
printed in multi-hundred page reports, but I get very nervous without a
feedback loop. At teh very minimum, their security posture goes out the
window when their firewall administrator gets hit by a bus.
What this is really getting at is that Bennett is correct, and more or less
has #2 covered (maybe #1 as well). Adding periodic checks to make sure
that goll dang it, things *are* OK is simple prudence.
Extending this to a topic that keeps coming up, I see this as a *perfect*
service for an ISP to offer to small business.
- Ted
----------------------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East | Fax: +1 770 395 1972
Atlanta, GA 30346 USA | Web: http://eng.iss.net/~tdoty
----------------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Firewall administration., (continued)
- Re: Firewall administration. Ted Doty (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Message not available
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)