Re: How automate firewall tests

["Marcus J. Ranum" <mjr () ranum com>]

Crispin Cowan wrote:
> Problem is, I don't believe in positive security models in the real world

That's OK. It doesn't matter whether you do or not. You can choose to
go around not believing in the laws of physics, either. But that doesn't
change the fact that "the bigger they come, the harder they hit."

The state of the industry today is a direct result of the fact that a lot of
you don't "believe" in a positive security model, or "believe" that security
is something that can be negotiated as part of some mysterious balancing
act between "business needs" and "security requirements."  What people
don't get is that the hackers don't give a rat's ass about where you choose
to establish your balance between fantasy and reality: all they need is one
hole and your balance is yesterday's fine dream and today's front page
news.

For the last 15 years we've been presented with a constant litany of
important agencies, sites, and systems that have been hacked into
because people don't believe that doing security right is practical. I'm
OK with that (it's not my problem!)(*) but I get really disgusted when
people publicly announce:
"I BELIEVE THE EARTH IS FLAT AND WILL CONTINUE TO KEEP
TRYING TO KEEP IT THAT WAY."

C'mon, Crispin - if you don't believe in positive security models what's
your alternative? "Kludge stuff forever"? That's working just great.
"User education"? Fantastic. Stellar. "Risk management"? The
hackers love risk management. It's one thing to say you don't believe
but it's a hard position to hold when the stuff you DO appear to believe
in has obviously failed to work.

mjr.
(* Well, it is, really. I mean, as a veteran, I know now that the VA
nicely published my personal information because of "practical"
"business needs" etc etc etc) 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards