Re: iso 17799

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

At 03:58 PM 7/21/2004 -0400, Marcus J. Ranum wrote:
> Dana Nowell wrote:
> > Thanks for the list, but methinks your rant missed the point. :-).
>
> No, I understood your point. I just don't think education is the
> issue. :)

So what is?

> > Having worked in several micro start-ups
> > and small companies throughout my career, I can assure you they don't buy
> > $100,000 doo-dads.
>
> Uhm, I know. I've done start-ups too.
>
> > In fact the entire operations budget (host, network,
> > security, etc) MIGHT be $100,000/yr including salaries.
>
> Right, then you're small enough to approach security
> as a non-technical problem and actually solve it. By
> making sure your users are controlled, your network
> is tight, and your security is not a problem. It's only
> the big companies that are so pervasively populated
> with stupid middle managers and C-level execs that
> they can afford to buy $100,000 doo-dads. If you're
> small, you're small enough to implement simple
> proxy servers, segment your network, etc. It's much
> easier to overcome office politics and layer 8 issues
> in a small company.

So what is wrong with a repository of information for those people to mine
as needed?  Too small a group?  Not worth the effort?  Hey if your issue is
with big companies, lots of little ones exist on the net and they get
hacked too.

> >  So I think your
> > definition of small company and my definition of small company are
> > different (hint, if you need to use your fingers AND toes to count staff,
> > you are closing on the upper limit, borrow Paul's too and we're more than
> > covered ;).
>
> Hey, I used to be able to fit my entire company's
> staff AND a case of beer in a small hot tub. "Been
> there, done that."
>
>
> > Maybe where you work, a $100,000 doo-dad
>
> Maybe you need to go back and actually read my posting.
> Or, perhaps it was so badly written that you managed to
> get the exact opposite message from it than I intended. :(
> I was *trashing* the idea of the $100,000 doo-dad. It's a
> stupid approach. Did *ANY* of the "good practices" I
> post say "buy a $100,000 doo-dad"? They were all "do
> this" "don't do that."  Most of the ideas I was recommending
> are cheap to implement technically, though often costly
> in terms of organization and office politics (which scale
> as the organization scales)

Yes, the ideas work, like I said in the post, I've tried many of them.  I'm
not sure why you brought the $100,000 doo-dad into the picture in the first
place.  I assumed it was because you feel education won't help as people
want to buy the magic bullet and move on.  Yes, no kidding, we'd all like
the magic bullet, now what's really in the bag?;)  Seriously some people
fall for marketing hype, some don't, some people just want to get through
the day and some plan well in advance, people vary.  There are some of us
interested in doing a good job and we don't believe in magic bullets.  We
also think it is stupid to have ten people solve the same problem ten
times.  How about we try, the first guy solves it, the remaining 9 tweak
his solution for their environment and we expend 5-8 times effort instead
of 10 times effort?


> > The push for standards by the marketing weenies has always existed.  As you
> > state, because it helps them gain control over the market.  BUT there is
> > now push for standards from the customer/geek/CEO and not because they want
> > the vendor to control the market.  It's because they need help, any help in
> > getting a handle on direction.
>
> I see little evidence of that.
> In fact, the trends I see in the industry are largely contrary to what
> you assert. Can you explain the basis of your belief?

Several discussions on this list.  Several discussions in my office.
Several emails to assorted peers. Several discussions with clients.  A LOT
more activity than in the past few years.  People are overloaded and
looking for (help | shortcuts | magic bullets | cosmic insight).  Add that
to the marketing FUD, the various other standards people see every day (for
simpler things but let's not bring facts to the 'I want it' discussion;).
And people wonder if it isn't possible to come up with a 'standard'.  I
don't believe a true rigid standard will work, my network is different from
Paul's and different from yours, my solution will be at least slightly
different.  HOWEVER, I do believe if I saw how you did it and how Paul did
it, it MIGHT save me thinking time.


> > Oh, and for the record Marcus, we are outbound only, have a DMZ, and
> > consider the DMZ pre-poisoned whenever feasible.  Handle attachments at the
> > gateway, use a mix of stateful and level 7 service handlers.  Disallow new
> > protocol/service requests as a matter of course until a justification is
> > made.  We DO NOT ALLOW mobile users direct access to the internal network,
> > they get a VERY few services (like mail) and are on a different logical
> > subnet with different firewall rules (in fact we export EXACTLY 4 services
> > to the public and about 6 to mobile users).  We use default deny.  We use a
> > centralized antivirus install that autoupdates the desktops as patches are
> > provided by our vendor (about a 10 minutes delay) all automagically, even
> > nights and weekends.  We use centralized mail services that do SPAM and
> > attachment handling.  We are small enough that almost all firewall traffic
> > is logged, certainly ALL inbound traffic is logged.  All logs are
> > autoscanned via cron each night and a summary is emailed to me and several
> > others (vacation issue).
>
> SO WHAT IS YOUR PROBLEM? You've done all the "good stuff"
> I can think of!! My guess is your security is probably pretty good,
> right?

<sigh> I guess I'm a do gooder ;).  No seriously, it is vested self
interest.  We do OK, but the more of the others I can keep from being
hacked the less I get pounded on.  It IS possible that a virus/worm/#$%^@
may attack my net before the vendor releases the patch or before I apply
it.  Of course, the less it spreads, the fewer of the little devils there
are to attack me, the longer (in theory) I get to cover my network.  The
more everyone tightens up the more bandwidth I get back (less spambots,
worms, virus crud and other denziens of the nightmare).  The more others
audit the quicker idiots get stopped on rev A of the virus instead of rev
ZZZ.  Digging a deaper foxhole only works until you are overrun, I'd like
to help stabilize the line, maybe even go on the offensive.  Hey, my
foxhole is pretty deep but I've come to the conclusion it is only a matter
of time before I'm overrun.  So I'll try something different.

> That description you give above is a nice blueprint of a well-secured
> network. It's great!! That's how anyone with a clue secures their
> network. I bet you survive attacks that whack the stuffing out of
> your peers, right? Easily, right?
>
> > As much as I'd like to be unique, the number one, most secure, top of the
> > pile, best in the business guy in the industry, I doubt it.
>
> There is no such thing!! I mean, there's the guys who took
> bolt-cutters to their network connections and who epoxy
> their CAT-5 cables into the jacks, etc. If you asked them,
> they wouldn't tell you they were unique or #1, they'd just
> tell you they "solved the problem."   There's always trade-offs
> in doing so. Namely connectivity. But connectivity is vastly
> overrated. ;)
>
> > I tend to
> > think that if I need information, some other people might like it too, and
> > probably several hundred people already have it.
>
> Yeah...
>
> >  I spend some time each
> > month keeping up, researching patches/bugs, learning about new tech,
> > looking at protocols, writing memos on tech, etc.  Any repository that
> > helps me or helps my admins so I get more time and they still get it right
> > is an official 'good thing' from my perspective, but maybe I'm unique.
>
> Clueful people have no problem (apparently you haven't, ergo you
> must be clueful!) finding the information they need and making
> sense out of it. Clueless people aren't going to use the information
> even if you chew it up into a palatable mush and squirt it down
> their throats the way a mother bird does for its chicks. They are
> beyond help. Don't waste your time on them. Tell them to buy
> the $100,000 doo-dad and solve the problem (as you have done)
> with a little discipline, some attention to detail, and brainpower.

OK, so I have a clue, you have a clue, Paul has a clue, and I'd bet several
others around here have a clue, let's find a way to share.  That's all I'm
recommending.  I think if we don't share now the marketing droids will win
(yeah, OK probably will anyway) and we will get 'standards' then we will
have to battle the standards where they don't make sense (remember
everything tunneled over HTTP anyone :-).  Either way, it's time to share
ammo and concentrate fire, it's a target rich environment and I'm having
trouble choosing some days.  Assuming we can agree to share, the real
problem is what and how do we share.  Any suggestions?  Should it be a new
subject?  Should we forget it (is the list enough)?


-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards