Re: [fwd] Firewall Products: Many Not Ready For Prime Time,

[Christopher Nicholls <chrisn () softway com au>]

At 17:48 1/04/98 -0500, Adam Shostack wrote:
> Christopher Nicholls wrote:
>
> | I couldn't agree more. Further, I think one of the most alarming trends
> | developing is the movement towards "shrink-wrap firewalls" - buy now pay
> | later! If ever there was an item not to be bought off-the-shelf, it's
> | security. Maybe one day we will be able to use self configuring f/w
>
>       I disagree strongly, unless you agree to add the word "today,"
> so that the sentence reads '...not to be bought off-the-shelf
> today,...' then sure.  But we need to move to a situation where new
> products come with security because its one of those things that
> engineers think about when building the toolkits that companies use to
> build products.

Today yes, that is why I said "...Maybe one day...". I was suggesting that
software cannot do it alone, and that many MIS managers are not able to
discern against good, bad, and indifferent firewall and security products.
To make the selection of such complex systems a matter of a supermarket
decision is anathema. Today. Actually I rather like the idea of "secure
applications" that MJR was suggesting a while back...
>       Adding security on after a product is developed costs about
> ten times as much as adding it during development.  Adding security
> after deployment is nigh well impossible.  You may add client
> authentication, hijack resistance, and some other stuff, but if your
> application has no security, then it may not doa lot of good.

Adding security? I wasn't suggesting adding security... adding good
policies, commonsense and expert advice yes - and some sound education so
that MIS managers are able to be more across these issues - *prior* to
selection and implementation.

There are a number of significant products out there which can competently
protect our networks, but the implementation of them is one area in
Information Systems which needs a lot of work, and the trouble is, there is
a great deal of pressure being put on MIS managers by senior management to
get Internets and Intranets up and running quickly, thus exacerbating the
problem of selection and implementation of firewalls.

There are plenty of examples of highly regarded f/w systems badly
implemented or severely compromised by lack of knowledge, all for want of
good management, sound IT security policies, and monitoring. I don't see
any products at this stage which can write their own security policies...;-)

> | 2) you (the consultant) are not just holding the high intelectual ground to
> | prevent them from such implementations and 3) IT security is not talismans
> | and incense?
>
> You do this by making security more than talismans and incense.  This
> requires an engineering process that doesn't often result in things
> like Biham's recent crack of X9.52.  Security is not often engineered
> toda, which means that management perception of it is reasonably
> accurate as talismans and insense.

I partially disagree... I see this as part educative and part software
engineering. Neither by itself can achieve the goal completely. I take your
point about management perception - they do tend to see it all as smoke and
mirrors, but this should be addressed by sensible information - not
marketspeak, nor technospeak. That is what I was getting at by my reference
to the "high intelectual ground".
> | A firewall is not a means unto itself - it is only the proverbial tip of
> | the (security) iceberg.
>
> ok, we can agree on this. :)

Mmmm... that was the basis of my point.

Regards

Christopher
-----------------------------------------------------------------------------
Christopher Nicholls
chrisn () dynamite com au   ~~~~~~~   chrisn () softway com au
-----------------------------------------------------------------------------
m:      0411 454755     
w:      +61 2 6243 4834 h:      +61 2 6241 2112
wf:     +61 2 6243 4848 hf:     +61 2 6241 8926
----------------------------------------------------------------------------
-