Firewall Wizards mailing list archives
Re: Cisco PIX bug, discussions (lenghty)
From: Robert Stahlbrand <robert () nmac ericsson se>
Date: Thu, 27 Aug 1998 16:20:09 +0200 (MET DST)
On Wed, 26 Aug 1998, Travis Low wrote:
At 09:58 AM 8/25/98 -0700, Ryan Russell wrote:If I may also make a sweeping statement: Performance isn't relevant to security applications. I.e. you can't say "it will hurt performance, so we'll leave out some security." If that were a consideration, we wouldn't use firewalls. Realistically, that means that if it's too slow we buy bigger boxes or suffer along at a slower pace.End users don't like to suffer. If performance is lousy, they will try to circumvent security procedures in order to get Real Work done. Thus, security policy implementations need to take human impatience into account. It follows that performance is relevant to security.
But that is no excuse for you to do a lousy jobb! If they want to break the security policy it's up to them. Just inform the boss and he'll chop their head off (although some bosses tend to be the ones breaking the policy:-).
Real life example: Company allows zero incoming TCP connections, so users secretly buy and install modems.
Real life example: Which makes them personal responsible if there's an intrusion through their modem if your policy was written correct. The person was fired immediately!
Travis -------------------------------------------------------------------- Travis Low MindQ Publishing tlow () mindq com 11490 Commerce Park Drive #400 +1 703 262 6616 (vox) Reston VA 20191-1532 USA +1 703 716 0237 (fax) http://www.mindq.com -------------------------------------------------------------------- "What are you eating? Are you a rubbermint?" -- Tiernan Low
/Robert Stahlbrand, Ericsson Telecom AB "Real hackers don't die, their TTL expires."
Current thread:
- Re: Cisco PIX bug, discussions (lenghty), (continued)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Kevin Steves (Aug 28)
- Re: Cisco PIX bug, discussions (lengthy) Frank Willoughby (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Euan (Aug 26)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Message not available
- Re: Cisco PIX bug, discussions (lenghty) Eric Vyncke (Aug 28)
- Re: Cisco PIX bug, discussions (lenghty) Joseph S. D. Yao (Aug 26)
- Re: performance vs. security (was Cisco PIX ...) (NetQuest) Borkin, Michael (Aug 30)
- Re: Cisco PIX bug, discussions (lenghty) Robert Stahlbrand (Aug 27)
- Re: Cisco PIX bug, discussions (lenghty) Aleph One (Aug 28)