Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 03 Apr 2009 12:14:29 -0500
Bill McGee wrote: > Short of a Ranum dictatorship, we really need to
recognize that wide-eyed idealism, however well-intentioned, is never a reasonable replacement for dealing with the vagaries of the reality we actually inhabit.
Gosh, and what glorious realities they are, Bill!!! I hate to burst your vision of polishing turds until they gleam like diamonds, but - just in case it had escaped your notice - the approach you are advocating does not work. Trying to patch failed designs until they're adequate has resulted in a 15 year run-up of vulerabilities and the enshrining of weekly patches as "how to run production systems." The approach you are advocating has resulted in security experts whose best recommendations for preventing desktops from being utterly owned is: "run 2 or 3 different AV or anti-malware scanners and hope one of them catches it." Doing the best you can with what you've got has resulted in an environment where it seems every website has so many SQL injection holes that they're using 64-bit numbers to count them all. These are not "vagaries in reality"; they are "epic fail"! I take the position on these lists of being an idealist, because it's simply ridiculous to point at the status quo and say "that's good enough." Or worse, "we can fix it." You also don't seem to understand that the longer we continue pursuing failed doctrines, the worse it'll be - and the more expensive it'll be - when/if we ever decide to really fix things. Take, for example, all the companies that are now scrambling around trying to figure out "where _is_ our important data, anyway?" I bet they wish they'd thought things through a bit more carefully 15 years ago! And, they're going to wind up expending the same amount of effort to fix the problem - with interest. You seem to think that we're able to work with what we've got but you don't understand that what we've got already isn't working. Call me an idealist, will you? Are there any idealists on this list who seriously think things are getting better? If you fly aircraft regularly, you should be glad that the people who design them are uncompromising and don't settle for "doing the best with whatever they've got." It's not "wide-eyed idealism" to advocate design techniques that WORK and that you've seen work in the real world. I'm not just blowing smoke; the techniques that I (and some of the other wide-eyed idealists on this list) advocate result in systems with much higher times between failure, and dramatically reduced maintenance costs. The web site with the enumerated connectivity on the backend that I mentioned in my email yesterday? Because of its architecture, it ran without a software upgrade on any of its backend systems for 4 years. It's not wide-eyed idealism to consider the TCO of a system as well as the costs to field it. Wide-eyed beats the hell out of short-sighted in both theory and practice. "Ranum dictatorship"?? You should be so lucky. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Potter, Albert (Al) (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls lordchariot (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 03)
- Re: PCI DSS & Firewalls Bill McGee (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 05)
- Re: PCI DSS & Firewalls Potter, Albert (Al) (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 06)
- Re: PCI DSS & Firewalls Chris Blask (Apr 06)