Re: Best Practices

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

OK. From your viewpoint, it seems like I'm not getting it and from my
viewpoint it seems like you aren't getting it.  Since Gwen is correct, I do
need a vacation, and my desk is full so I'm fitting this in, I'm probably
the one not being clear.  So I'll try one more time, hopefully clearer than
before.

No matter how you slice the Internet connected network space up (financial,
government, or small business, large business) IF you exclude the home
space, certain things will still apply even across that broad canvas,
assuming you want a secure network.  Items like least priviledge, don't
connect it if you don't have to, existance of passwords and accounts,
segmentation/compartmentalization of network assets based on security
needs/policy, and so forth.  What you might consider the basic tenents of
any security setup or general 'rules of thumb' so to speak.  Can we agree
on that (that some list could be made, not necessarily that list)?  

If you put ten above average security people in a room and poll the top
5/10/50 'rules of thumb' I'd bet there is overlap.  That is, for lack of a
better term, the floor/minimum 'best practice'/'rule of thumb'/'guideline
for implementation'/'foo' for all networks connected to the Internet.  Now
admittedly, it is a small set as we have not determined what type of
network (small, large, critical) or what we are specifically protecting
(customer list or launch codes).  But I bet we can make that list.  So now
we have list 'Foo Base'.

OK now let's segment that network space into some crude areas: small
business, large business, and govermental (or infrastructure) asset (Paul's
original thread: coast guard, power plants, etc.).

If we concentrate on just the generic small business segment, I'd bet we
can create list 'Foo SB'.  As we do the other segments we get lists 'Foo
LB' and 'Foo Asset'.  Now I picked SB, LB, and asset, I'm not married to
that specific split, just some agreed segmentation of the space.

Now let's publish and promote those lists (or the process to create the
list and the repository of information) so that at least that base of
knowledge becomes common everywhere from the security guy to the mail room
to the CEO.  As opposed to Gwen's lots of best practices on the Internet
comment, somehow we get this to be 'the list' on the net. As 'the list' on
the net, many people jump on the band wagon <serious hand waving if ever I
saw it;>.  

Hopefully, we spend less time explaining network compartmentalization in
the context of infrastructure and worm/virus attacks because people are up
to speed.  Hopefully, this provides a context/standard that gets extended
to metrics applicable to contracts and insurance.  Hopefully this provides
a base that can grow ('foo SB financial' anyone), extending the existing
security knowledge.  Hopefully this can be used to enlighten people by
reference and avoid rehashing the same constructs repeatedly.  Hopefully
this can be used by people as a tool to help push back and help get sanity
in the network space (vendors, ridiculous user requests, etc.).

What I'm suggesting, if extended out to a ridiculous extent, is similar to
the RFC concept or the ANSI standard concept but for Internet connected
network security.  I doubt we can get that far, but a similar process might
be useful. (NOTE: I have no actual process in mind, this is a straw man at
best)

The obvious issue is: it is a hard problem.  Networks are diverse, can we
find sufficient commonality?  Information gets quickly dated if specific so
we need general prinicpals not 'install a firewall here' stuff.  General
principals may be too general to be useful and the specific information is
too dated, so can we draw the correct line, is it even possible?  

I have no complete picture of this, I'm not sure it can be done, I'm not
even sure it would be useful.  I think it may be better than having the
same discussions (compartmentalization) in different specific contexts over
and over.  Hopefully someone or several someones can come up with a plan.
Like I said, there are a lot of IQ points here ...

Whether this is viable or not, we need a plan to broaden the discussion and
build a public base of knowledge that can be extended.  Specific
discussions about network X in context Y are useful, but by definition,
frequently too specific to extend knowledge broadly to other contexts.
This list has to a large extent become more tactical than strategic (I
have/posit problem X in Context Y, let's discuss is the general thread,
IMO).  As wizards I propose we let the apprentices deal with the tactical
and we deal with the strategic or at a minimum we try for a mix of some
strategic with the tactical.  Why, because today's tactical is next month's
garbage as threats mutate but hopefully there are some basic strategic
principals that have longer lives (which I THINK is where the original
discussion needed to be broadened).

OK, Paul/Gwen, is it clearer?



-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards