Firewall Wizards mailing list archives
Re: iso 17799
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Wed, 21 Jul 2004 04:42:10 +0530
On 20/07/04 14:00 -0400, Dana Nowell wrote: <snip>
I can likely negate 90% of the same risk with 10% of most "Best practices-" so it's really expensive to implement the other 90% of those practices- without a good risk/reward scheme or legislation, people are unlikely to go full-force on such systems. I can also implement them poorly or well- none of that seems to make them any easier.Great, how do the rest of us learn to negate 90% of the risk? Got a paper somewhere? Written up an FAQ? Guideline? "Best Practice"? :-) Know of a good repository of that type of thing? Or is every newbie supposed to post the question to the list to extract your knowledge, say every other month? ('cause you KNOW they don't search the archives)
I was thinking about this topic a few hours before this mail came in. I think that the discussion on airgap firewalls and TCP resets in BGP does cover quite a bit of ground on that topic. IIRC, the NIST does have guidelines and checklists for such things. A short list of points of security concepts (which need to be understood): 1> Security is all about limiting access. 2> 100% control is impossible. There are always risks. 3> The cost of implementing a security solution MUST always be less than the possible loss. 4> Security is defined by a policy, which has to be set by management. 5> Security should not be the responsibility of a single system. It must be pervasive through the organisation. 6> This means that security covers things like physical security, network security for servers, desktops, network equipment and the network itself. 7> Firewalls are supposed to separate and restrict traffic. 8> Firewalls should be in default deny mode because their job is to restrict. 9> All users should be given the least priviliges and access they need to do their job. Any process other than the kernel is to be treated as a user. This may involve not having the user connect to the network at all. 10> Monitoring that your systems is an integral part of security. This is where an IDS and log analysis come into play. 11> Acting on the reports of the monitoring systems is defined by the policy. 12> Always remember to ask for business justification if asked to make any changes. 13> Document everything. 14> Have a backup policy handy. Disasters do happen. Any thing generic that I have missed out? <snip>
IMO, the 'push for standards' is because the field is exploding AND maturing and many, many, newbies are being thrown in to the fire everyday. The brighter (mentally, not visually) of the crispy critters are looking for some sort of centralized help instead of 10,000 'one shot' questions on a list. Don't get me wrong, the list is useful. I've been on the/a
Is that the brighter ones, or the less bright ones who can't figure things out for themselves because they don't know how? I know I learnt a lot lurking on this list and reading things. The security-basics list at securityfocus was useful earlier. There are *lots* of books on security in the market today. "Building Internet Firewalls" is a pretty good one to start off with.
firewalls list since GreatPlains hosted one. But now that I'm stuck between the current crop of crispy critters and the Pointy Haired Boss, something to point one or the other at would help :-). So I have my list of reference materials for the critters, I cull the tech news regularly for the PHB, do my work, and try to find time to expand my sources, oh yeah, and fit in a life. In my spare time, I dream of the magic repository that will actually off-load some of the work. I'm not sure it will, or can, ever exist but it sure would be nice.
Don't we all?
The frustration is that people on this list 'generally' solve the same problems, use lots of the same references, sites, and resources. This list is dedicated to answering specific questions about firewall implementations, a good thing. However no centralized list or repository exists to share the 'other' information required in the real world (training materials, reference materials, example risk assessments/documents, staff/food chain management issues, software, etc.). The list is good, it does its job well, too well, people want the other problems solved as well and currently they can't have it.
There is a list on risks out there. I have heard it is fairly good, but I really can't keep up with current mail either. Software is available, lots of choices. The knowledge to make an informed choice is slightly harder to get.
In one man's opinion, that's one of the main reasons why we see the push for 'standards'. It's not really standards people want, so much as direction/help with the 'other' parts of their job. The learning, training, tools, samples, and other pieces that list isn't fully supplying would probably sate some of the hunger and be more real world useful than a bucket full of rigid standards.
Agreed. Even more than the learning and training materials, the reference materials for the "social" part of security are what is missing. How to say no to a manager when (s)he is screaming at you to do something that you aren't confident about. Sample documentation on justifying security expenses. This sounds rather like the contents of a management course :). Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)