Firewall Wizards mailing list archives
Re: Going meta (was RE: Ok, so now we have a firewall...)
From: Scott Stursa <stursa () mailer fsu edu>
Date: Thu, 2 Jun 2005 16:28:42 -0400 (EDT)
On Thu, 2 Jun 2005, Marcus J. Ranum wrote:
Bill McGee (bam) wrote:This is a classic "perfect world" versus "real world" scenario. I think Chris Blask nailed it on the head earlier when he said we have to acknowledge (and live with) the limitations of what we have while working to build something better. That's a challenge to be taken individually AND as a collective.I must disagree. As I read your posting, I had to take a couple of deep breaths because it triggered a really strong emotional response in me, and I wasn't sure why.
Likewise yours triggered a strong response in me, and I know exactly why. Not that I disagree with you - I don't. In fact, I've had a lot of respect for you since attending the IDS tutorial you gave at the 2000 USENIX Security conference. Plus, like me, you own a Harley (yours may be prettier, but I'm sure mine is faster). And I agree with most of your post; where I have an issue is with the "standing up to the manager" bit. ----<major snip>-------
Some possibilities: - Some of the products we're buying simply don't work
Too true.
- Some of the products we're buying aren't being used properly
"Some"? Don't you mean "most"?
- There is no correlation between cost and effectiveness of security products
There may be, but it's very low.
To me, the stellar example remains the whole firewall "debate" of the early 1990's. Let's not beat around the bush: convenience kicked security's ass in 1994 and has been kicking it ever since. Yes, there are lots of perfectly good-sounding "business justifications" for doing it, but today's firewalls let too much stuff back and forth. To me, the fact that organizations with firewalls continue to get brutally hacked is empirical proof of that view.
I've audited a number of FWs here (mostly PIXs) and most have rulesets so loose that running the firewall is pointless.
I know a handful of organizations that have very strict firewalls with draconian and unpopular rulesets - and they simply don't get hacked.
That's true for the one I administer. They've not been hacked since I took it over, but they complain about not being able to do msn messenger.
I am totally sympathetic to the plight of the security practitioner who isn't willing to put his job on the line by telling the CTO he's a moron. I completely understand why people feel they need to compromise. But I still think compromise is for sissies.
THIS is what got me riled. Last spring we completely re-engineered the network for a large school here at the university. I redesigned the network to put different populations of hosts into separate network segments; internal-use-only servers on one, desktops on another, etc. I implemented port security on the switches so that they can't just walk in an plug in a laptop. We put wireless on its own segment and force authentication through a BlueSocket. All these segments are set up on separate VLANs and communicate with each other via a PIX, utilizing the VLAN support introduced in 6.3 code). IRC and "fun" stuff (e.g., msn messenger) are blocked, inbound and out. To a great degree I relied on the principles outlined by you in your "Re: ISO 17799" post to this list on 20 July 2004. This plan put me at odds with my manager (an arrogant young man who considers himself God's Gift to IT), who felt that "our first goal should be to get the network up and stable - we can go back and make it secure later". I countered with, "An insecure network is an unstable network - just ask the [protect-the-clueless] department". He didn't have an answer for that. So I held my ground and we did it my way. The result - no compromised hosts since then (beginning of March). But I've paid for that. Two months ago he did a performance appraisal on me, giving me the first "unsatisfactory" rating I've received in 26 years of working for the university. I'm on probabtion and having to document literally every minute of my day. Not that it will make any difference - I fully expect to be unemployed when my contract expires in August. This is the price I'm paying for *not* being a "sissy". - SLS p.s. Harley for sale - priced for quick sale! ------------------------------------------------------------------------ Scott L. Stursa 850/644-2591 Network Security Analyst stursa () mailer fsu edu OTI Enterprise Security Group Florida State University - No good deed goes unpunished - _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right? Mark Tinberg (Jun 01)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (Jun 01)
- <Possible follow-ups>
- RE: Ok, so now we have a firewall, we're safe, right? Bill McGee (bam) (Jun 01)
- Message not available
- Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Message not available
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)