Re: Cisco PIX bug, discussions (lenghty)

[Robert Stahlbrand <robert () nmac ericsson se>]

On Wed, 26 Aug 1998, Travis Low wrote:

> At 09:58 AM 8/25/98 -0700, Ryan Russell wrote:
> > If I may also make a sweeping statement:
> >
> > Performance isn't relevant to security applications.  I.e. you
> > can't say "it will hurt performance, so we'll leave out some
> > security."  If that were a consideration, we wouldn't use firewalls.
> > Realistically, that means that if it's too slow we buy bigger
> > boxes or suffer along at a slower pace.
>
> End users don't like to suffer.  If performance is lousy, they will try to
> circumvent security procedures in order to get Real Work done.  Thus,
> security policy implementations need to take human impatience into account.
>  It follows that performance is relevant to security. 

But that is no excuse for you to do a lousy jobb! If they want to break
the security policy it's up to them. Just inform the boss and he'll chop
their head off (although some bosses tend to be the ones breaking the
policy:-).
 
> Real life example:  Company allows zero incoming TCP connections, so users
> secretly buy and install modems.

Real life example:
Which makes them personal responsible if there's an intrusion through
their modem if your policy was written correct. The person was fired
immediately!

> Travis
>
> --------------------------------------------------------------------
> Travis Low                                          MindQ Publishing
> tlow () mindq com                        11490 Commerce Park Drive #400
> +1 703 262 6616 (vox)                       Reston VA 20191-1532 USA
> +1 703 716 0237 (fax)                           http://www.mindq.com
> --------------------------------------------------------------------
>     "What are you eating?  Are you a rubbermint?" -- Tiernan Low

/Robert Stahlbrand, Ericsson Telecom AB

"Real hackers don't die, their TTL expires."