Firewall Wizards mailing list archives

RE: Next Generation Security Architecture

From: Nigel Willson <NWillson () tbg com>
Date: Fri, 16 Feb 2001 16:21:59 -0700

Agree 100% that technology only plays a supporting role.

I ran security and enterprise management for Disney's
Internet presence and in operating technology was 20%.

Enterprises do need help, however, to dig out from what
they have today and to develop an architecture, in a 2-3
year plan that sets the direction, consolidates, integrates,
and in a migration strategy, begins to improve the complex
and fragmented reality of today. Or we can give up?

I wouldn't buy this one from vendor, it has to be a set of
open, integrated, and interoperable best-of-breed solutions
-- the distributed mainframe.

These solutions are still only emerging. Recent security
vendor consolidation has only served to create ugly suites
cobbled together, as Marcus states.

The standards are not there, lagging innovation as they always
will. So the architectural jigsaw puzzle needs some exceptions,
to support legacy commitments, to support tactical "fire"
solutions, to support un-planned new technologies and 
developments, to support lack of budget/resources -- however the
puzzle needs to be defined.

I can itemize a strong value proposition from doing this and
the ROI is significant. The question is, how do you communicate
that when security has attained a bad connotation of an 
impossible goal, too complex, insolvable, always flawed, etc.

Education? Or a workable set of architecture templates that 
set a reasonable tiered and evolving standard, as a security
maturity capability model, raising the bar.

By defining architecture we can help incite the vendors to
build the technologies needed to fill the gaps. It'd be cool
if customers drove vendors, rather than vendors convince
customers that this is "the" technology that will solve your
security problems, hmmmm? Isn't this organic?

Companies do need to clean house. Complexity is the enemy of
security. Recent evolution has excerbated complexity, opening
backdoor opportunities. Enterprises feel a need to build 
solid perimeters walls which are then extended to employee
homes, opened to partners and, penetrated through the need
to share and communicate richly as an object in  a community.

Infrastructure is a major investment for larger enterprises
and it is extremely expensive to change it. There is a 
tendency to take something that was not designed for today's
networked economy and bolt-on new capabilities. This "chassis"
runs as expected, poorly and insecurely.

By putting all of that behind us and taking a fresh new look
at security, at this Firewall technology that is well past 
its sell by date, a next generation architecture can be
developed that will get the enterprise where it needs to go,
in order to be agile and competitive in the network economy.

;-)

Nige.

Senior Consultant
iSecurity Program
The Burton Group
http://www.tbg.com

-----Original Message-----
From: Lance Spitzner [mailto:lance () spitzner net]
Sent: Friday, February 16, 2001 9:35 AM
To: Marcus J. Ranum
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Next Generation Security Architecture


On Fri, 16 Feb 2001, Marcus J. Ranum wrote:

I was recently meeting with a bunch of venture capitalists and they
asked me "why won't someone just build an all-singing all-dancing
chop-dice-slice-shred-floorwax-dessert topping security system and
own the whole market?" (implying I should)   I don't think

it's possible

because in order to "do it right" one would need to build

best-of-breed


That's a huge order. I don't think it's possible to solve

all those problems

simultaneously and well. It's possible to solve them all

simultaneously

and badly - by acquiring technology and trying to glue it

together with

duct tape, spit, and wet soap.


My experience tells me that for effective security, risk must 
be mitigated
at all layers of an organization, from physical, application, 
networking,
social engineering etc.  Any weakeness in any layer exposes 
an organization
to risk.  I personally do not see how a 'single' solution can 
touch all
of the layers invovled.

lance

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Next Generation Security Architecture Nigel Willson (Feb 15)
- Re: Next Generation Security Architecture Darren Reed (Feb 16)
  - Re: Next Generation Security Architecture Marcus J. Ranum (Feb 16)
    - Re: Next Generation Security Architecture Lance Spitzner (Feb 16)
    - Re: Next Generation Security Architecture bacano (Feb 20)
- <Possible follow-ups>
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
  - Re: Next Generation Security Architecture Darren Reed (Feb 20)
  - RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
  - Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
    - Re: Next Generation Security Architecture Brian Ford (Feb 27)

(Thread continues...)