Re: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 6 May 2004, Crispin Cowan wrote:

> Paul D. Robertson wrote:
>
> > With all the money spent on "security" solutions that aren't as effective
> > as "don't connect"- how many companies even look at their user population
> > risk profiles and architect for it?  Not connecting is *really* cheap and
> > *really* effective.
> Really effective I'll believe (it definitely is secure) but really cheap
> I will challenge. IT facilities like e-mail and web do a lot to reduce
> operational costs. If you declare everyone's workstation to be
> "production" and disconnect them from the Internet then you may end up
> deploying a second set of workstations for Internet access, and that is
> not cheap.

Generally, (there's been enough about the financial services exception)
most workstations aren't "production," so using military grade
disconnection (you know, pull out that cable between the switches or to
the router between the switches ;) ) to separate things which are mission
critical from things which aren't works quite well.  I happen to think
it's about as effective to dual-home some stable machines, like e-mail
gateways for the necessary intercommunication- but the slower maintenance
and change cycle on the production side should cover the costs of what
little overlap you have to purchase equipment-wise (yes, if your machine
budget still comes from capital, operations are out of the expense
budget, a bean counter has to balance the numbers somewhere.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards