Firewall Wizards mailing list archives
Re: iso 17799
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Wed, 21 Jul 2004 18:08:43 -0400
At 03:58 PM 7/21/2004 -0400, Marcus J. Ranum wrote:
Dana Nowell wrote:Thanks for the list, but methinks your rant missed the point. :-).No, I understood your point. I just don't think education is the issue. :)
So what is?
Having worked in several micro start-ups and small companies throughout my career, I can assure you they don't buy $100,000 doo-dads.Uhm, I know. I've done start-ups too.In fact the entire operations budget (host, network, security, etc) MIGHT be $100,000/yr including salaries.Right, then you're small enough to approach security as a non-technical problem and actually solve it. By making sure your users are controlled, your network is tight, and your security is not a problem. It's only the big companies that are so pervasively populated with stupid middle managers and C-level execs that they can afford to buy $100,000 doo-dads. If you're small, you're small enough to implement simple proxy servers, segment your network, etc. It's much easier to overcome office politics and layer 8 issues in a small company.
So what is wrong with a repository of information for those people to mine as needed? Too small a group? Not worth the effort? Hey if your issue is with big companies, lots of little ones exist on the net and they get hacked too.
So I think your definition of small company and my definition of small company are different (hint, if you need to use your fingers AND toes to count staff, you are closing on the upper limit, borrow Paul's too and we're more than covered ;).Hey, I used to be able to fit my entire company's staff AND a case of beer in a small hot tub. "Been there, done that."Maybe where you work, a $100,000 doo-dadMaybe you need to go back and actually read my posting. Or, perhaps it was so badly written that you managed to get the exact opposite message from it than I intended. :( I was *trashing* the idea of the $100,000 doo-dad. It's a stupid approach. Did *ANY* of the "good practices" I post say "buy a $100,000 doo-dad"? They were all "do this" "don't do that." Most of the ideas I was recommending are cheap to implement technically, though often costly in terms of organization and office politics (which scale as the organization scales)
Yes, the ideas work, like I said in the post, I've tried many of them. I'm not sure why you brought the $100,000 doo-dad into the picture in the first place. I assumed it was because you feel education won't help as people want to buy the magic bullet and move on. Yes, no kidding, we'd all like the magic bullet, now what's really in the bag?;) Seriously some people fall for marketing hype, some don't, some people just want to get through the day and some plan well in advance, people vary. There are some of us interested in doing a good job and we don't believe in magic bullets. We also think it is stupid to have ten people solve the same problem ten times. How about we try, the first guy solves it, the remaining 9 tweak his solution for their environment and we expend 5-8 times effort instead of 10 times effort?
The push for standards by the marketing weenies has always existed. As you state, because it helps them gain control over the market. BUT there is now push for standards from the customer/geek/CEO and not because they want the vendor to control the market. It's because they need help, any help in getting a handle on direction.I see little evidence of that. In fact, the trends I see in the industry are largely contrary to what you assert. Can you explain the basis of your belief?
Several discussions on this list. Several discussions in my office. Several emails to assorted peers. Several discussions with clients. A LOT more activity than in the past few years. People are overloaded and looking for (help | shortcuts | magic bullets | cosmic insight). Add that to the marketing FUD, the various other standards people see every day (for simpler things but let's not bring facts to the 'I want it' discussion;). And people wonder if it isn't possible to come up with a 'standard'. I don't believe a true rigid standard will work, my network is different from Paul's and different from yours, my solution will be at least slightly different. HOWEVER, I do believe if I saw how you did it and how Paul did it, it MIGHT save me thinking time.
Oh, and for the record Marcus, we are outbound only, have a DMZ, and consider the DMZ pre-poisoned whenever feasible. Handle attachments at the gateway, use a mix of stateful and level 7 service handlers. Disallow new protocol/service requests as a matter of course until a justification is made. We DO NOT ALLOW mobile users direct access to the internal network, they get a VERY few services (like mail) and are on a different logical subnet with different firewall rules (in fact we export EXACTLY 4 services to the public and about 6 to mobile users). We use default deny. We use a centralized antivirus install that autoupdates the desktops as patches are provided by our vendor (about a 10 minutes delay) all automagically, even nights and weekends. We use centralized mail services that do SPAM and attachment handling. We are small enough that almost all firewall traffic is logged, certainly ALL inbound traffic is logged. All logs are autoscanned via cron each night and a summary is emailed to me and several others (vacation issue).SO WHAT IS YOUR PROBLEM? You've done all the "good stuff" I can think of!! My guess is your security is probably pretty good, right?
<sigh> I guess I'm a do gooder ;). No seriously, it is vested self interest. We do OK, but the more of the others I can keep from being hacked the less I get pounded on. It IS possible that a virus/worm/#$%^@ may attack my net before the vendor releases the patch or before I apply it. Of course, the less it spreads, the fewer of the little devils there are to attack me, the longer (in theory) I get to cover my network. The more everyone tightens up the more bandwidth I get back (less spambots, worms, virus crud and other denziens of the nightmare). The more others audit the quicker idiots get stopped on rev A of the virus instead of rev ZZZ. Digging a deaper foxhole only works until you are overrun, I'd like to help stabilize the line, maybe even go on the offensive. Hey, my foxhole is pretty deep but I've come to the conclusion it is only a matter of time before I'm overrun. So I'll try something different.
That description you give above is a nice blueprint of a well-secured network. It's great!! That's how anyone with a clue secures their network. I bet you survive attacks that whack the stuffing out of your peers, right? Easily, right?As much as I'd like to be unique, the number one, most secure, top of the pile, best in the business guy in the industry, I doubt it.There is no such thing!! I mean, there's the guys who took bolt-cutters to their network connections and who epoxy their CAT-5 cables into the jacks, etc. If you asked them, they wouldn't tell you they were unique or #1, they'd just tell you they "solved the problem." There's always trade-offs in doing so. Namely connectivity. But connectivity is vastly overrated. ;)I tend to think that if I need information, some other people might like it too, and probably several hundred people already have it.Yeah...I spend some time each month keeping up, researching patches/bugs, learning about new tech, looking at protocols, writing memos on tech, etc. Any repository that helps me or helps my admins so I get more time and they still get it right is an official 'good thing' from my perspective, but maybe I'm unique.Clueful people have no problem (apparently you haven't, ergo you must be clueful!) finding the information they need and making sense out of it. Clueless people aren't going to use the information even if you chew it up into a palatable mush and squirt it down their throats the way a mother bird does for its chicks. They are beyond help. Don't waste your time on them. Tell them to buy the $100,000 doo-dad and solve the problem (as you have done) with a little discipline, some attention to detail, and brainpower.
OK, so I have a clue, you have a clue, Paul has a clue, and I'd bet several others around here have a clue, let's find a way to share. That's all I'm recommending. I think if we don't share now the marketing droids will win (yeah, OK probably will anyway) and we will get 'standards' then we will have to battle the standards where they don't make sense (remember everything tunneled over HTTP anyone :-). Either way, it's time to share ammo and concentrate fire, it's a target rich environment and I'm having trouble choosing some days. Assuming we can agree to share, the real problem is what and how do we share. Any suggestions? Should it be a new subject? Should we forget it (is the list enough)? -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Re: iso 17799 R. DuFresne (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 22)
- Re: iso 17799 Paul D. Robertson (Jul 26)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Frederick M Avolio (Jul 22)
- Re: iso 17799 Dana Nowell (Jul 23)
- Re: iso 17799 ArkanoiD (Jul 26)
- Re: iso 17799 mlh (Jul 27)
- Re: iso 17799 Marcus J. Ranum (Jul 27)