nanog mailing list archives
Re: bloomberg on supermicro: sky is falling
From: William Herrin <bill () herrin us>
Date: Wed, 10 Oct 2018 14:19:05 -0400
On Wed, Oct 10, 2018 at 1:53 PM Naslund, Steve <SNaslund () medline com> wrote:
Mr Herrin, you are asking us to believe one or all of the following : 1. You believe that it is good security policy to NOT have a default DENY ALL policy in place on firewalls for DoD and Intelligence systems handling sensitive data.
Steve, I believe it's a good idea for every security control to trace to first principles not just as conceived but as implemented. Default-deny-all is not a first principle. If often traces. Often is not always. Treating often as always is the sort of lazy error that leads users to work around non-sensible security implementations, demolishing the security they would have provided.
2. You managed to convince DoD personnel of that fact and actually got them to approve an Authorization to Operate such a system based on cost savings.
You mischaracterize it as "cost savings" but that's essentially correct. I spent six months going through the 1100 controls they laid on me and where I thought a control would be destructive I provided a thorough analysis of the anticipated mission impact for both the control as written and the proposed alternate mitigation. The impact is far more than a dollar sign. Make it hard to use and you sap the system's utility to the mission. Make it hard to manage and you increase the probability of error, decreasing the system availability. And so on. Won some of the arguments. Lost others. Built a better system with happier users for the effort. You can believe that or not as you choose. Regards, Bill Herrin -- William Herrin ................ herrin () dirtside com bill () herrin us Dirtside Systems ......... Web: <http://www.dirtside.com/>
Current thread:
- Re: bloomberg on supermicro: sky is falling, (continued)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 10)
- Re: bloomberg on supermicro: sky is falling Mike Hale (Oct 10)
- Re: bloomberg on supermicro: sky is falling Lee (Oct 10)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 10)
- RE: bloomberg on supermicro: sky is falling Jamie Bowden (Oct 10)
- Re: bloomberg on supermicro: sky is falling Alain Hebert (Oct 10)
- Re: bloomberg on supermicro: sky is falling Rich Kulawiec (Oct 10)
- Re: bloomberg on supermicro: sky is falling Bryce Wilson (Oct 12)
- RE: bloomberg on supermicro: sky is falling Naslund, Steve (Oct 12)
- Re: bloomberg on supermicro: sky is falling Bryce Wilson (Oct 12)
- Re: bloomberg on supermicro: sky is falling William Herrin (Oct 12)
- Re: bloomberg on supermicro: sky is falling Matt Harris (Oct 12)