Firewall Wizards mailing list archives
RE: Next Generation Security Architecture
From: Nigel Willson <NWillson () tbg com>
Date: Fri, 16 Feb 2001 16:21:59 -0700
Agree 100% that technology only plays a supporting role. I ran security and enterprise management for Disney's Internet presence and in operating technology was 20%. Enterprises do need help, however, to dig out from what they have today and to develop an architecture, in a 2-3 year plan that sets the direction, consolidates, integrates, and in a migration strategy, begins to improve the complex and fragmented reality of today. Or we can give up? I wouldn't buy this one from vendor, it has to be a set of open, integrated, and interoperable best-of-breed solutions -- the distributed mainframe. These solutions are still only emerging. Recent security vendor consolidation has only served to create ugly suites cobbled together, as Marcus states. The standards are not there, lagging innovation as they always will. So the architectural jigsaw puzzle needs some exceptions, to support legacy commitments, to support tactical "fire" solutions, to support un-planned new technologies and developments, to support lack of budget/resources -- however the puzzle needs to be defined. I can itemize a strong value proposition from doing this and the ROI is significant. The question is, how do you communicate that when security has attained a bad connotation of an impossible goal, too complex, insolvable, always flawed, etc. Education? Or a workable set of architecture templates that set a reasonable tiered and evolving standard, as a security maturity capability model, raising the bar. By defining architecture we can help incite the vendors to build the technologies needed to fill the gaps. It'd be cool if customers drove vendors, rather than vendors convince customers that this is "the" technology that will solve your security problems, hmmmm? Isn't this organic? Companies do need to clean house. Complexity is the enemy of security. Recent evolution has excerbated complexity, opening backdoor opportunities. Enterprises feel a need to build solid perimeters walls which are then extended to employee homes, opened to partners and, penetrated through the need to share and communicate richly as an object in a community. Infrastructure is a major investment for larger enterprises and it is extremely expensive to change it. There is a tendency to take something that was not designed for today's networked economy and bolt-on new capabilities. This "chassis" runs as expected, poorly and insecurely. By putting all of that behind us and taking a fresh new look at security, at this Firewall technology that is well past its sell by date, a next generation architecture can be developed that will get the enterprise where it needs to go, in order to be agile and competitive in the network economy. ;-) Nige. Senior Consultant iSecurity Program The Burton Group http://www.tbg.com
-----Original Message----- From: Lance Spitzner [mailto:lance () spitzner net] Sent: Friday, February 16, 2001 9:35 AM To: Marcus J. Ranum Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Next Generation Security Architecture On Fri, 16 Feb 2001, Marcus J. Ranum wrote:I was recently meeting with a bunch of venture capitalists and they asked me "why won't someone just build an all-singing all-dancing chop-dice-slice-shred-floorwax-dessert topping security system and own the whole market?" (implying I should) I don't thinkit's possiblebecause in order to "do it right" one would need to buildbest-of-breedThat's a huge order. I don't think it's possible to solveall those problemssimultaneously and well. It's possible to solve them allsimultaneouslyand badly - by acquiring technology and trying to glue ittogether withduct tape, spit, and wet soap.My experience tells me that for effective security, risk must be mitigated at all layers of an organization, from physical, application, networking, social engineering etc. Any weakeness in any layer exposes an organization to risk. I personally do not see how a 'single' solution can touch all of the layers invovled. lance _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Next Generation Security Architecture Nigel Willson (Feb 15)
- Re: Next Generation Security Architecture Darren Reed (Feb 16)
- Re: Next Generation Security Architecture Marcus J. Ranum (Feb 16)
- Re: Next Generation Security Architecture Lance Spitzner (Feb 16)
- Re: Next Generation Security Architecture bacano (Feb 20)
- Re: Next Generation Security Architecture Marcus J. Ranum (Feb 16)
- Re: Next Generation Security Architecture Darren Reed (Feb 16)
- <Possible follow-ups>
- RE: Next Generation Security Architecture Nigel Willson (Feb 17)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- Re: Next Generation Security Architecture Jason Sheffield (Feb 17)
- RE: Next Generation Security Architecture Nigel Willson (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture agetchel (Feb 20)
- Re: Next Generation Security Architecture Darren Reed (Feb 20)
- RE: Next Generation Security Architecture David Lang (Feb 20)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)
- Re: Next Generation Security Architecture Brian Ford (Feb 27)
- Re: Next Generation Security Architecture Ng Pheng Siong (Feb 27)