Firewall Wizards mailing list archives
Re: Policy and administration was Re: Firewall administration.
From: Ted Doty <ted () iss net>
Date: Mon, 13 Oct 1997 08:29:37 -0400
At 05:44 PM 10/12/97 -0400, Mark Teicher wrote:
Based on your comments below, you are stating that depending on the firewall/internet/security solution a particular corporation,organization, selects, then that also depends on staffing requirements, design of security policies, network architecture, security matrices and event escalation..
Actually, I don't think that this is quite true. I agree with Bennett that many firewall implementations can be relatively simple. I do think that the overall process of ensuring that your security is working applies to both large and small organizations. Anything that a large organization does to maintain their posture should also be done by small ones, allbeit on a small scale.
So what is your ideal solution then based upon those criteria??
Ted's list of what every organization needs: 1. A simple statement of policy. 2. A mapping of implementation into policy, hopefully with contradictions resolved ("FTP is bad, but Web is OK"). 3. Periodic tests to show that the security posture isn't changing due to: a. Changes in the firewall config b. changes in the firewall code (updates) c. changes in the attacks used on the net (e.g. persistant attacks from a particular source) In Fortune-500 speak, #1 is the domain of Management, #2 is the domain of MIS, and #3 is the domain of the auditors. Commonality is provided by the security officer. There's actually a good reason that different people do the audit, for the same reason we have different people test our code - it's too easy to say "Oh yeah, I knew that." I don't see why a small company doesn't need this, too. Nothing has to be printed in multi-hundred page reports, but I get very nervous without a feedback loop. At teh very minimum, their security posture goes out the window when their firewall administrator gets hit by a bus. What this is really getting at is that Bennett is correct, and more or less has #2 covered (maybe #1 as well). Adding periodic checks to make sure that goll dang it, things *are* OK is simple prudence. Extending this to a topic that keeps coming up, I see this as a *perfect* service for an ISP to offer to small business. - Ted ---------------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://eng.iss.net/~tdoty ---------------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Firewall administration., (continued)
- Re: Firewall administration. Ted Doty (Oct 07)
- Re: Firewall administration. Bennett Todd (Oct 07)
- Re: Firewall administration. Ted Doty (Oct 12)
- Re: Firewall administration. Bennett Todd (Oct 12)
- Re: Firewall administration. Ted Doty (Oct 12)
- Internet Security Review Mark Teicher (Oct 13)
- Re: Internet Security Review Bennett Todd (Oct 13)
- Re: Internet Security Review Marcus J. Ranum (Oct 14)
- Securing Staff (was Re: Internet Security Review) Jeff Sedayao (Oct 15)
- Re: Internet Security Review Steve Kruse (Oct 13)
- Message not available
- Re: Policy and administration was Re: Firewall administration. Ted Doty (Oct 13)