Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Chris Blask <chris () blask org>
Date: Mon, 6 Apr 2009 11:45:31 -0700 (PDT)
Hi Jim, Jim Seymour <jseymour () linxnet com>, Monday, April 6, 2009 9:25:55 AM
Bill McGee <bam () cisco com> wrote:
.d.
It'd be a damn sight nicer than living in the world in which we currently find ourselves, where, due to vendor irresponsibility and end-user cluelessness (encouraged by said vendors, IMO), the concept of "network security" has become a joke.
Responsibility and cluelessness are not things that I will go out of my way to let anyone off for, but the subtext "encouraged by said vendors, IMO" I have to poke a stick at. Maybe there rally are some evil crafty cunning and skilled vendors out there who are manipulating all of this over Beluga caviar, Havana cigars, monocoles and really evil laughs, but my experience working at these vendors is that any vendor culpability is much more rooted in the standard SNAFU background radiation that underlies human endeavor. To achieve the foundation for endemicly secure design, engineering, impelementation and operation of one (1) Global Internet (with "Attached Private Networks" option!) is really really really hard and would require a great deal of effort and resource which has (a) not been spent, (b) won't be spent for a lot of boringly pedantic reasons and (c) would probably be SNAFUed by reality (Bobby Shaftoe would put it more colorfully) and not work, anyway. .d.
What Marcus is promoting isn't "wide-eyed idealism," it's reality. That reality being there's no such thing as "kind of secure." It's either secure or it's not. You, and those who believe, or purport to believe, as you do are promoting "good enough." Well, half-way measures are *not* "good enough," *never* have been "good enough" and never *will* be "good enough."
I have to disagree. There is very much a "kind of secure" and there is by no means any such thing as "secure". "Security" is a mirage - our Fiddlers' Green - to be approached indefinitely but never arrived at. The question is never "how would you like your system secured from all potential intruders?" but rather "how much resource are you willing to spend increasing your system's security from where it is at the moment?" Your network is secure as (for example) your ability to resist Van Eck Phreaking of your users' monitors, keep them from coming in with pinhole cameras in their shirts to tape everything on their screens, and lock down their brains. As always, I am not saying that it is not worthwhile and effective to fight the good fight nor that any of us should take our responsiblities lightly - it is and we should. But this is the same old purist vs. pragmatist argument and nothing has ever changed to make me think there is any pure solution to be had. Even the very best Underground Black-Ops Government Datacenter will only incrementally creep closer to being all-caps "secure" and the rest of us will continue to live in a world that is somewhere short of that. -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Dotzero (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 03)
- Re: PCI DSS & Firewalls Bill McGee (Apr 03)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 03)
- Re: PCI DSS & Firewalls Chris Blask (Apr 05)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 06)
- Re: PCI DSS & Firewalls Chris Blask (Apr 06)