Firewall Wizards mailing list archives
Re: Security policy language
From: Jean-Denis Gorin <jdgorin () computer org>
Date: Thu, 25 Jan 2007 11:28:25 +0100
Hi Marco,
Marco Cremonini, 24 janvier 2007 09:51 The problem is: We would like to implement/adopt a high-level specification language for the definition of a security policy, something that should let to specify the policy at organizational level. Such a policy should then be translated into specific fw rules.
The problem is that the main part of a security policy is not technical but organizationnal, and have to deal with human behavior! Example: if your security policy tell that it is not allowed to surf non professionnal website. You only need to check that there is no violation of this rule (read web proxies log analysis). What you don't need is to use url filtering system. About the human part of the security policy: 1/ make people learn it and understand the whereabouts, [1] 2/ check if violations of the policy exist, 3/ have people explain why they don't respect the policy. [2] Only the technical part of the policy have to be enforce by technical means (example: designing DMZ to isolate IN and OUT networks). [1] Yes... I know Marcus point of view: user education is one of the worst security idea. [2] User (and manager!) education is need, but is not enough. It's just a beginning: telling users that doing that or that is bad is not enough, you have to show them why, and spot them when they did bad things. User are like child when you come to security: they have to be educated. The bad point is that users are *adult*, and they don't want to be educated because they are convinced they allready are! JDG _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security policy language Marco Cremonini (Jan 24)
- Re: Security policy language Marcus J. Ranum (Jan 24)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Avishai Wool (Jan 25)
- Re: Security policy language Tina Bird (Jan 24)
- Re: Security policy language Dave Piscitello (Jan 24)
- Re: Security policy language R. DuFresne (Jan 25)
- Re: Security policy language Stephen P. Berry (Jan 24)
- Re: Security policy language Matthew Hannigan (Jan 24)
- <Possible follow-ups>
- Re: Security policy language Jean-Denis Gorin (Jan 25)
- Re: Security policy language Marcus J. Ranum (Jan 24)