Re: PCI DSS & Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Bill McGee wrote:
> Short of a Ranum dictatorship, we really need to
> recognize that wide-eyed idealism, however well-intentioned, is never a 
> reasonable replacement for dealing with the vagaries of the reality we 
> actually inhabit.

Gosh, and what glorious realities they are, Bill!!!  I hate to burst
your vision of polishing turds until they gleam like diamonds,
but - just in case it had escaped your notice - the approach you
are advocating does not work. Trying to patch failed designs until
they're adequate has resulted in a 15 year run-up of vulerabilities
and the enshrining of weekly patches as "how to run production
systems."  The approach you are advocating has resulted in
security experts whose best recommendations for preventing
desktops from being utterly owned is: "run 2 or 3 different AV
or anti-malware scanners and hope one of them catches it." Doing
the best you can with what you've got has resulted in an
environment where it seems every website has so many SQL
injection holes that they're using 64-bit numbers to count
them all. These are not "vagaries in reality"; they are
"epic fail"!

I take the position on these lists of being an idealist, because
it's simply ridiculous to point at the status quo and say
"that's good enough." Or worse, "we can fix it."

You also don't seem to understand that the longer we continue
pursuing failed doctrines, the worse it'll be - and the more
expensive it'll be - when/if we ever decide to really fix
things. Take, for example, all the companies that are now
scrambling around trying to figure out "where _is_ our
important data, anyway?"  I bet they wish they'd thought
things through a bit more carefully 15 years ago! And, they're
going to wind up expending the same amount of effort to fix
the problem - with interest.

You seem to think that we're able to work with what we've got
but you don't understand that what we've got already isn't
working. Call me an idealist, will you? Are there any idealists
on this list who seriously think things are getting better?

If you fly aircraft regularly, you should be glad that the
people who design them are uncompromising and don't settle
for "doing the best with whatever they've got."

It's not "wide-eyed idealism" to advocate design techniques
that WORK and that you've seen work in the real world. I'm
not just blowing smoke; the techniques that I (and some of
the other wide-eyed idealists on this list) advocate result
in systems with much higher times between failure, and
dramatically reduced maintenance costs. The web site
with the enumerated connectivity on the backend that I
mentioned in my email yesterday? Because of its architecture,
it ran without a software upgrade on any of its backend
systems for 4 years. It's not wide-eyed idealism to consider
the TCO of a system as well as the costs to field it.
Wide-eyed beats the hell out of short-sighted in both
theory and practice.

"Ranum dictatorship"?? You should be so lucky.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards