Firewall Wizards mailing list archives
Re: iso 17799
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Wed, 21 Jul 2004 15:58:35 -0400
Dana Nowell wrote:
Thanks for the list, but methinks your rant missed the point. :-).
No, I understood your point. I just don't think education is the issue. :)
Having worked in several micro start-ups and small companies throughout my career, I can assure you they don't buy $100,000 doo-dads.
Uhm, I know. I've done start-ups too.
In fact the entire operations budget (host, network, security, etc) MIGHT be $100,000/yr including salaries.
Right, then you're small enough to approach security as a non-technical problem and actually solve it. By making sure your users are controlled, your network is tight, and your security is not a problem. It's only the big companies that are so pervasively populated with stupid middle managers and C-level execs that they can afford to buy $100,000 doo-dads. If you're small, you're small enough to implement simple proxy servers, segment your network, etc. It's much easier to overcome office politics and layer 8 issues in a small company.
So I think your definition of small company and my definition of small company are different (hint, if you need to use your fingers AND toes to count staff, you are closing on the upper limit, borrow Paul's too and we're more than covered ;).
Hey, I used to be able to fit my entire company's staff AND a case of beer in a small hot tub. "Been there, done that."
Maybe where you work, a $100,000 doo-dad
Maybe you need to go back and actually read my posting. Or, perhaps it was so badly written that you managed to get the exact opposite message from it than I intended. :( I was *trashing* the idea of the $100,000 doo-dad. It's a stupid approach. Did *ANY* of the "good practices" I post say "buy a $100,000 doo-dad"? They were all "do this" "don't do that." Most of the ideas I was recommending are cheap to implement technically, though often costly in terms of organization and office politics (which scale as the organization scales)
The push for standards by the marketing weenies has always existed. As you state, because it helps them gain control over the market. BUT there is now push for standards from the customer/geek/CEO and not because they want the vendor to control the market. It's because they need help, any help in getting a handle on direction.
I see little evidence of that. In fact, the trends I see in the industry are largely contrary to what you assert. Can you explain the basis of your belief?
Oh, and for the record Marcus, we are outbound only, have a DMZ, and consider the DMZ pre-poisoned whenever feasible. Handle attachments at the gateway, use a mix of stateful and level 7 service handlers. Disallow new protocol/service requests as a matter of course until a justification is made. We DO NOT ALLOW mobile users direct access to the internal network, they get a VERY few services (like mail) and are on a different logical subnet with different firewall rules (in fact we export EXACTLY 4 services to the public and about 6 to mobile users). We use default deny. We use a centralized antivirus install that autoupdates the desktops as patches are provided by our vendor (about a 10 minutes delay) all automagically, even nights and weekends. We use centralized mail services that do SPAM and attachment handling. We are small enough that almost all firewall traffic is logged, certainly ALL inbound traffic is logged. All logs are autoscanned via cron each night and a summary is emailed to me and several others (vacation issue).
SO WHAT IS YOUR PROBLEM? You've done all the "good stuff" I can think of!! My guess is your security is probably pretty good, right? That description you give above is a nice blueprint of a well-secured network. It's great!! That's how anyone with a clue secures their network. I bet you survive attacks that whack the stuffing out of your peers, right? Easily, right?
As much as I'd like to be unique, the number one, most secure, top of the pile, best in the business guy in the industry, I doubt it.
There is no such thing!! I mean, there's the guys who took bolt-cutters to their network connections and who epoxy their CAT-5 cables into the jacks, etc. If you asked them, they wouldn't tell you they were unique or #1, they'd just tell you they "solved the problem." There's always trade-offs in doing so. Namely connectivity. But connectivity is vastly overrated. ;)
I tend to think that if I need information, some other people might like it too, and probably several hundred people already have it.
Yeah...
I spend some time each month keeping up, researching patches/bugs, learning about new tech, looking at protocols, writing memos on tech, etc. Any repository that helps me or helps my admins so I get more time and they still get it right is an official 'good thing' from my perspective, but maybe I'm unique.
Clueful people have no problem (apparently you haven't, ergo you must be clueful!) finding the information they need and making sense out of it. Clueless people aren't going to use the information even if you chew it up into a palatable mush and squirt it down their throats the way a mother bird does for its chicks. They are beyond help. Don't waste your time on them. Tell them to buy the $100,000 doo-dad and solve the problem (as you have done) with a little discipline, some attention to detail, and brainpower. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Re: iso 17799 R. DuFresne (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 26)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 22)
- Re: iso 17799 Dana Nowell (Jul 23)
- Re: iso 17799 ArkanoiD (Jul 26)
- Re: iso 17799 mlh (Jul 27)