Re: [fw-wiz] Too Paranoid?

From: Dave Piscitello (dave@corecom.com)
Date: 09/29/02 

From: Dave Piscitello <dave@corecom.com>
To: Frederick M Avolio <fred@avolio.com>, James Triplett <james@thelix.net>
Date: Sun Sep 29 20:46:00 2002

Brief postscript to my earlier mail, partly in response to Fred.
And Fred's right that "should" was a keyword...

Most vendors, even many security vendors, don't appreciate the full picture
in even the smallest of real world deployments. But I failed to mention
that in the scenario I mentioned where the SCO box was "wide open", we
audited the system, listed our concerns, and gave them not to the engineers
and ops folks, but the sales person.

It was *his* BMW on the line, in return for *our* security peace of mind.

Your sales rep can often be your champion in your vendor's shop. In this case,
we asked them to make what I'd consider reasonable efforts to harden the
SCO box, and we came to agreement on a configuration that would minimize
fallout should their box be compromised. Wasn't perfect, but it was far
better than the "accept as is" configuration.

At 08:10 PM 9/29/2002 -0400, Frederick M Avolio wrote:
>Most reputable vendors behave just as this one does. They are certain it
>is Not So Bad. And in their mind, it is not. Because all they know is
>firewalls make things secure and it can work with the firewall in place,
>as long as you poke a hole or two through it.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

Relevant Pages

  • Re: Question re: load balancers as a security device
    ... them facing an external network with unknown security implications. ... In the case of managed services I've found that vendors try very hard ... to standardize the implementations they manage. ... understanding of the architecture, traffic, configuration of LBs, etc. ...
    (Pen-Test)
  • Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
    ... >> vendors stepup up to the plate with a better commitment to responsible ... But, then just the week following my posting, Dell comes out stating they ... ongoing quest to make security less expensive and more effective. ... has proven that vendors can take the initial security configuration load ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
    ... >> vendors stepup up to the plate with a better commitment to responsible ... But, then just the week following my posting, Dell comes out stating they ... ongoing quest to make security less expensive and more effective. ... has proven that vendors can take the initial security configuration load ...
    (Full-Disclosure)
  • Re: Firewall Policy Mgt?
    ... management console solution to control all the different vendors' ... products that meet your every business requirement. ... configuration and other components will most likely only be configured ... Vendors tend to over promise and under deliver. ...
    (comp.security.firewalls)
  • Re: Firewall Policy Mgt?
    ... management console solution to control all the different vendors' ... products that meet your every business requirement. ... configuration and other components will most likely only be configured ... Vendors tend to over promise and under deliver. ...
    (comp.security.firewalls)