Re: Going meta (was RE: Ok, so now we have a firewall...)

["Marcus J. Ranum" <mjr () ranum com>]

Scott Stursa wrote:
> > - Some of the products we're buying aren't being used
> >         properly
>
> "Some"? Don't you mean "most"?

Geeze. The one time I *TRY* to be nice, people on the list
don't let me get away with it. I had originally written
"virtually all" but figured that came across as a bit
too categorical. ;)

> > - There is no correlation between cost and effectiveness
> >         of security products
>
> There may be, but it's very low.

There may be, but the presence of open source alternatives
really upsets the applecart when it comes to figuring out
the value proposition of some of these things...


> Last spring we completely re-engineered the network for a large school
> here at the university. I redesigned the network to put different
> populations of hosts into separate network segments; internal-use-only
> servers on one, desktops on another, etc. I implemented port security on
> the switches so that they can't just walk in an plug in a laptop.

That's awesome!!!!

> We put
> wireless on its own segment and force authentication through a BlueSocket.
> All these segments are set up on separate VLANs and communicate with each
> other via a PIX, utilizing the VLAN support introduced in 6.3 code). IRC
> and "fun" stuff (e.g., msn messenger) are blocked, inbound and out.
>
> To a great degree I relied on the principles outlined by you in your "Re:
> ISO 17799" post to this list on 20 July 2004.
>
> This plan put me at odds with my manager (an arrogant young man who
> considers himself God's Gift to IT), who felt that "our first goal
> should be to get the network up and stable - we can go back and make it
> secure later". I countered with, "An insecure network is an unstable
> network - just ask the [protect-the-clueless] department". He didn't have
> an answer for that.

That's because there isn't one! :) That's a great response.
Security == reliability. Security == performance.

> So I held my ground and we did it my way. The result - no compromised
> hosts since then (beginning of March).
>
> But I've paid for that. Two months ago he did a performance appraisal on
> me, giving me the first "unsatisfactory" rating I've received in 26 years
> of working for the university. I'm on probabtion and having to document
> literally every minute of my day. Not that it will make any difference - I
> fully expect to be unemployed when my contract expires in August.

So you think this is an act of petty revenge from a small-minded
pissant?  It's certainly possible and that happens. :(  Presumably
your University's HR department has mechanisms for appealing
an appraisal, and it sounds like you have a good track record
you can point to. It's quite possible that you're going to lose this
fight, but I sure hope you leave some big scars on the opposition.
You've got until August to file protests and grievances and make
as big a stink as possible. Speaking as an ex-manager and ex-CEO
I can assure you that in most senior execs' minds (those that have
them) nobody ever "wins" an affair like this. Both parties lose.
If you make a stink you'll drag his career there down, too. If
he isn't a complete idiot he'll know that - you ought to try talking
to him and see if you can work something out.

> This is the price I'm paying for *not* being a "sissy".

I know it doesn't help much, but sometimes there is a small
amount of satisfaction that comes from doing the right thing. I
hope so, anyhow. It's about the only thing that gets me up in
the morning, most days. :(

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards