Re: [fw-wiz] Too Paranoid?

From: Frederick M Avolio (fred@avolio.com)
Date: 09/29/02


To: Dave Piscitello <dave@corecom.com>, James Triplett <james@thelix.net>
From: Frederick M Avolio <fred@avolio.com>
Date: Sun Sep 29 20:01:00 2002

At 01:57 PM 9/29/2002 -0400, Dave Piscitello wrote:
>Totally in agreement.
>
>Any reputable vendor should appreciate this, and should be willing to explain
>what security measures they have implemented to your satisfaction, or if
>not to your satisfaction, willing to work to resolve differences between their
>security posture and what your policy requires.

Which planet would you be talking about? Key word in this, of course, is
"should." Most probably it is "can't" because "never thought of it." Most
reputable vendors SHOULD but don't.

Most reputable vendors behave just as this one does. They are certain it is
Not So Bad. And in their mind, it is not. Because all they know is
firewalls make things secure and it can work with the firewall in place, as
long as you poke a hole or two through it.

I don't envy you and hope you have a pretty good policy in place you can
point to. Otherwise you are in between that vendor and the users who want
to use that vendor is selling. Worst case is the solution is already
purchased and you not only have the users clammering for it, but the person
in the company who chose it now will be on your case because you are making
him look bad as well. God help you if it is some executive vice president.

All the suggestions, so far are great, and Dave's comments are, of course,
right on target.

Those you you out there who are not in this position should play the game
"what if it were me, what if it was here?"

Do tell us how it turns out.

Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/