Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: Gwendolynn ferch Elydyr <gwen () reptiles org>
Date: Wed, 19 May 2004 14:52:23 -0400 (EDT)
On Wed, 19 May 2004, Dana Nowell wrote:
But the community as a whole doesn't agree on a common set of best practices. Like you said, there are "plenty of information about best practices out in the wild - and increasing awareness and implementation", the implication being that there isn't a base set of rules for say small business and that what few 'rules' people do agree on are not well sorted from the 'but I think' stuff. If it was, it would start showing up in places (contracts, discussion on VPN implementations, business (not security) surveys, ...) and I don't see it.
I think that's an example of trying to fit the same shoe to everybodies foot. Best practices aren't identical for all sites. A home user with a cable modem and a windows box for gaming is going to be adhering to "best practices" if he's got some sort of firewall at his cable modem, ideally one on his box, and does virus scans regularly. This wouldn't be at all appropriate for the puzzle palace ;>
Not the point. The point is that a guy that buys one router has a hard time getting clauses into Cisco contracts. The 35 guy company that does business has trouble getting contract clauses into deals with large companies. In many cases it comes down to an issue of clout, and the little guy doesn't have it. Being right is good, being unable to implement it is bad. Having everyone say the same thing gets it into the base contract and the little guy wins. I do not see it in the base contract yet. My company is not required by customers to carry insurance. If my company asks for insurance or other indemnification during contract talks, we get laughed at. We have stopped asking, stopped looking, and stopped worrying about it. I'd be happy to see it. So when the games starts, put me in coach.
Ah! You're talking about something else entirely. If I read you correctly, you want some sort of security guarantee put into your vendor contracts. Interesting.
Like I said several times, air gaps are a good thing. And yes, air gaps are more viable in high risk low churn infrastructure environments. I have no specific issue with air gaps in that environemnt. My issue is with the mindset of add another tool to the belt and call it close enough. WHY are we walling those off? Answer, because we do not tackle the hard problem of securing the ENTIRE NETWORK. Yes, it is a hard problem, no we will not solve it tomorrow, but few wars are won by repeated strategic withdrawals.
Odd ;> I'm thinking "an additional tool in the belt" combined with "and we're always looking for better ways". This does get back to best practices. Minimum required access. Do those servers need to have access to the network? If the answer is no, then don't connect them to the network. "Because I can" is seldom the right answer [unless we're talking about that nice long motorcycle ride through the twisties ;>]. I think that you're really confusing several issues here. Nobody's saying that you shouldn't work on securing the entire network. They are saying fairly basic things like "Minimum required access", "Least priveledge", "Containment", "Compartmentalization". These are all techniques for securing your entire network.
EXACTLY. So after the concept of compartmentalization struck the world in, what, the middle ages, AND has been ingrained in military process practically since then, WHY ARE WE STILL DISCUSSING IT. Why is it not automatically assumed by anyone remotely related to the security community.
Er, well - the reason that I'm discussing it is that you didn't seem to be getting there from here... <rant about it taking forever to get things through to people> Well - we are a very young profession, just starting to emerge from the woolly "anybody can claim that they're a security guru" stage. It's an overused analogy, but the medical profession took a long, long time to get to a point where it was possible to describe best practices and standardized training.
because they were overruled, yeah OK I DO need a vacation).
*grin*
Not air gaps, security in general. I said I wanted to broaden the discussion. I'll stop now, it obviously doesn't want to be broadened. Besides I think I broke my lance.
Heh. It's not that the discussion doesn't necessarily want to be broadened - it's that your starting point made it profoundly unclear that you were trying to have a discussion about the state of security in general, rather than a complaint about air gaps ;> If you wanted to start again, with another message [and subject], and a clear statement of purpose, I bet you'd find that plenty of folks were willing to comment ;> Right now I suspect that most of them haven't read this far down, and are waiting to move along ;> cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)