Firewall Wizards mailing list archives
Re: Going meta (was RE: Ok, so now we have a firewall...)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 03 Jun 2005 18:11:48 -0400
Scott Stursa wrote:
- Some of the products we're buying aren't being used properly"Some"? Don't you mean "most"?
Geeze. The one time I *TRY* to be nice, people on the list don't let me get away with it. I had originally written "virtually all" but figured that came across as a bit too categorical. ;)
- There is no correlation between cost and effectiveness of security productsThere may be, but it's very low.
There may be, but the presence of open source alternatives really upsets the applecart when it comes to figuring out the value proposition of some of these things...
Last spring we completely re-engineered the network for a large school here at the university. I redesigned the network to put different populations of hosts into separate network segments; internal-use-only servers on one, desktops on another, etc. I implemented port security on the switches so that they can't just walk in an plug in a laptop.
That's awesome!!!!
We put wireless on its own segment and force authentication through a BlueSocket. All these segments are set up on separate VLANs and communicate with each other via a PIX, utilizing the VLAN support introduced in 6.3 code). IRC and "fun" stuff (e.g., msn messenger) are blocked, inbound and out. To a great degree I relied on the principles outlined by you in your "Re: ISO 17799" post to this list on 20 July 2004. This plan put me at odds with my manager (an arrogant young man who considers himself God's Gift to IT), who felt that "our first goal should be to get the network up and stable - we can go back and make it secure later". I countered with, "An insecure network is an unstable network - just ask the [protect-the-clueless] department". He didn't have an answer for that.
That's because there isn't one! :) That's a great response. Security == reliability. Security == performance.
So I held my ground and we did it my way. The result - no compromised hosts since then (beginning of March). But I've paid for that. Two months ago he did a performance appraisal on me, giving me the first "unsatisfactory" rating I've received in 26 years of working for the university. I'm on probabtion and having to document literally every minute of my day. Not that it will make any difference - I fully expect to be unemployed when my contract expires in August.
So you think this is an act of petty revenge from a small-minded pissant? It's certainly possible and that happens. :( Presumably your University's HR department has mechanisms for appealing an appraisal, and it sounds like you have a good track record you can point to. It's quite possible that you're going to lose this fight, but I sure hope you leave some big scars on the opposition. You've got until August to file protests and grievances and make as big a stink as possible. Speaking as an ex-manager and ex-CEO I can assure you that in most senior execs' minds (those that have them) nobody ever "wins" an affair like this. Both parties lose. If you make a stink you'll drag his career there down, too. If he isn't a complete idiot he'll know that - you ought to try talking to him and see if you can work something out.
This is the price I'm paying for *not* being a "sissy".
I know it doesn't help much, but sometimes there is a small amount of satisfaction that comes from doing the right thing. I hope so, anyhow. It's about the only thing that gets me up in the morning, most days. :( mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right? Mark Tinberg (Jun 01)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (Jun 01)
- <Possible follow-ups>
- RE: Ok, so now we have a firewall, we're safe, right? Bill McGee (bam) (Jun 01)
- Message not available
- Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Message not available
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)