RE: Worms, Air Gaps and Responsibility

[Gwendolynn ferch Elydyr <gwen () reptiles org>]

On Wed, 19 May 2004, Dana Nowell wrote:
> But the community as a whole doesn't agree on a common set of best
> practices.  Like you said, there are
> "plenty of information about best practices out in the wild - and
> increasing awareness and implementation", the implication being that there
> isn't a base set of rules for say small business and that what few 'rules'
> people do agree on are not well sorted from the 'but I think' stuff.  If it
> was, it would start showing up in places (contracts, discussion on VPN
> implementations, business (not security) surveys, ...) and I don't see it.

I think that's an example of trying to fit the same shoe to everybodies
foot.  Best practices aren't identical for all sites.

A home user with a cable modem and a windows box for gaming is going to
be adhering to "best practices" if he's got some sort of firewall at his
cable modem, ideally one on his box, and does virus scans regularly.

This wouldn't be at all appropriate for the puzzle palace ;>

> Not the point.  The point is that a guy that buys one router has a hard
> time getting clauses into Cisco contracts.  The 35 guy company that does
> business has trouble getting contract clauses into deals with large
> companies.  In many cases it comes down to an issue of clout, and the
> little guy doesn't have it.  Being right is good, being unable to implement
> it is bad.  Having everyone say the same thing gets it into the base
> contract and the little guy wins.  I do not see it in the base contract
> yet.  My company is not required by customers to carry insurance.  If my
> company asks for insurance or other indemnification during contract talks,
> we get laughed at.  We have stopped asking, stopped looking, and stopped
> worrying about it.  I'd be happy to see it.  So when the games starts, put
> me in coach.

Ah! You're talking about something else entirely.  If I read you
correctly, you want some sort of security guarantee put into your vendor
contracts.  Interesting.

> Like I said several times, air gaps are a good thing.  And yes, air gaps
> are more viable in high risk low churn infrastructure environments.  I have
> no specific issue with air gaps in that environemnt.  My issue is with the
> mindset of add another tool to the belt and call it close enough.  WHY are
> we walling those off?  Answer, because we do not tackle the hard problem of
> securing the ENTIRE NETWORK.  Yes, it is a hard problem, no we will not
> solve it tomorrow, but few wars are won by repeated strategic withdrawals.

Odd ;> I'm thinking "an additional tool in the belt" combined with "and
we're always looking for better ways".  This does get back to best
practices.  Minimum required access.  Do those servers need to have access
to the network? If the answer is no, then don't connect them to the
network.  "Because I can" is seldom the right answer [unless we're talking
about that nice long motorcycle ride through the twisties ;>].

I think that you're really confusing several issues here.  Nobody's saying
that you shouldn't work on securing the entire network.  They are saying
fairly basic things like "Minimum required access", "Least priveledge",
"Containment", "Compartmentalization".  These are all techniques for
securing your entire network.

> EXACTLY.  So after the concept of compartmentalization struck the world in,
> what, the middle ages, AND has been ingrained in military process
> practically since then, WHY ARE WE STILL DISCUSSING IT.  Why is it not
> automatically assumed by anyone remotely related to the security community.

Er, well - the reason that I'm discussing it is that you didn't seem to
be getting there from here...

<rant about it taking forever to get things through to people>

Well - we are a very young profession, just starting to emerge from the
woolly "anybody can claim that they're a security guru" stage.  It's an
overused analogy, but the medical profession took a long, long time to
get to a point where it was possible to describe best practices and
standardized training.

> because they were overruled, yeah OK I DO need a vacation).

*grin*

> Not air gaps, security in general.  I said I wanted to broaden the
> discussion.  I'll stop now, it obviously doesn't want to be broadened.
> Besides I think I broke my lance.

Heh. It's not that the discussion doesn't necessarily want to be
broadened - it's that your starting point made it profoundly unclear
that you were trying to have a discussion about the state of security
in general, rather than a complaint about air gaps ;>

If you wanted to start again, with another message [and subject], and
a clear statement of purpose, I bet you'd find that plenty of folks
were willing to comment ;>

Right now I suspect that most of them haven't read this far down, and
are waiting to move along ;>

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards