Firewall Wizards mailing list archives
Re: Best Practices
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Wed, 19 May 2004 18:27:15 -0400
OK. From your viewpoint, it seems like I'm not getting it and from my viewpoint it seems like you aren't getting it. Since Gwen is correct, I do need a vacation, and my desk is full so I'm fitting this in, I'm probably the one not being clear. So I'll try one more time, hopefully clearer than before. No matter how you slice the Internet connected network space up (financial, government, or small business, large business) IF you exclude the home space, certain things will still apply even across that broad canvas, assuming you want a secure network. Items like least priviledge, don't connect it if you don't have to, existance of passwords and accounts, segmentation/compartmentalization of network assets based on security needs/policy, and so forth. What you might consider the basic tenents of any security setup or general 'rules of thumb' so to speak. Can we agree on that (that some list could be made, not necessarily that list)? If you put ten above average security people in a room and poll the top 5/10/50 'rules of thumb' I'd bet there is overlap. That is, for lack of a better term, the floor/minimum 'best practice'/'rule of thumb'/'guideline for implementation'/'foo' for all networks connected to the Internet. Now admittedly, it is a small set as we have not determined what type of network (small, large, critical) or what we are specifically protecting (customer list or launch codes). But I bet we can make that list. So now we have list 'Foo Base'. OK now let's segment that network space into some crude areas: small business, large business, and govermental (or infrastructure) asset (Paul's original thread: coast guard, power plants, etc.). If we concentrate on just the generic small business segment, I'd bet we can create list 'Foo SB'. As we do the other segments we get lists 'Foo LB' and 'Foo Asset'. Now I picked SB, LB, and asset, I'm not married to that specific split, just some agreed segmentation of the space. Now let's publish and promote those lists (or the process to create the list and the repository of information) so that at least that base of knowledge becomes common everywhere from the security guy to the mail room to the CEO. As opposed to Gwen's lots of best practices on the Internet comment, somehow we get this to be 'the list' on the net. As 'the list' on the net, many people jump on the band wagon <serious hand waving if ever I saw it;>. Hopefully, we spend less time explaining network compartmentalization in the context of infrastructure and worm/virus attacks because people are up to speed. Hopefully, this provides a context/standard that gets extended to metrics applicable to contracts and insurance. Hopefully this provides a base that can grow ('foo SB financial' anyone), extending the existing security knowledge. Hopefully this can be used to enlighten people by reference and avoid rehashing the same constructs repeatedly. Hopefully this can be used by people as a tool to help push back and help get sanity in the network space (vendors, ridiculous user requests, etc.). What I'm suggesting, if extended out to a ridiculous extent, is similar to the RFC concept or the ANSI standard concept but for Internet connected network security. I doubt we can get that far, but a similar process might be useful. (NOTE: I have no actual process in mind, this is a straw man at best) The obvious issue is: it is a hard problem. Networks are diverse, can we find sufficient commonality? Information gets quickly dated if specific so we need general prinicpals not 'install a firewall here' stuff. General principals may be too general to be useful and the specific information is too dated, so can we draw the correct line, is it even possible? I have no complete picture of this, I'm not sure it can be done, I'm not even sure it would be useful. I think it may be better than having the same discussions (compartmentalization) in different specific contexts over and over. Hopefully someone or several someones can come up with a plan. Like I said, there are a lot of IQ points here ... Whether this is viable or not, we need a plan to broaden the discussion and build a public base of knowledge that can be extended. Specific discussions about network X in context Y are useful, but by definition, frequently too specific to extend knowledge broadly to other contexts. This list has to a large extent become more tactical than strategic (I have/posit problem X in Context Y, let's discuss is the general thread, IMO). As wizards I propose we let the apprentices deal with the tactical and we deal with the strategic or at a minimum we try for a mix of some strategic with the tactical. Why, because today's tactical is next month's garbage as threats mutate but hopefully there are some basic strategic principals that have longer lives (which I THINK is where the original discussion needed to be broadened). OK, Paul/Gwen, is it clearer? -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)