RE: [fw-wiz] Worms, Air Gaps and Responsibility
From: Carson Gaspar (carson_at_taltos.org)
To: firstname.lastname@example.org Date: Wed, 05 May 2004 22:28:26 -0400
--On Wednesday, May 05, 2004 19:32:56 -0400 "Paul D. Robertson"
> On Wed, 5 May 2004, Carson Gaspar wrote:
>> I can answer for the financials - the user desktops _are_ production. If
>> the homedir fileserver is compromised, you're in trouble, but you can't
>> isolate it from the desktops...
> For some sets of companies, that's true, but that's certainly not true for
> others- and even when it is, it isn't true of every desktop in the
As I said, for the financials - many other industries are far less doomed
>> VPN is a fact of life given 24/7 trading, and the client desktops need to
>> access file servers. The best you can do is lock down the VPN clients,
>> and manage the hell out of them.
>> In many cases you can firewall your core back office data from everything
>> else. Some companies try to firewall by business unit, but the inter-BU
>> requirements quickly make those such swiss cheese that they're mostly
>> useful as emergency fire doors when an outbreak happens.
> People keep telling me this, but at my last employer, I had a "firewall at
> each end and fixed security policy" implementation for WAN connectivity
> that worked just fine. Granted getting the capital for each node wasn't a
> fun thing and took most of a year- but I think one worm in the last 5
> years would have needed action with the policy as it was when I left.
Again, financials are one of the worst case scenarios. New York needs
access to Tokyo's data, from trader desktops, using proprietary apps, that
can change their network requirements at whim, if you can even get the
network requirements short of sniffing packets.
> Rate of change on production networks should be slow, measured and under
> change control- I think it's more a lack of ability to enforce good
> network discipline and fear of "complaints" more than actual "We tried it
> for a while and it wouldn't work."
Again, financials are not normal. We roll out new versions of trading
software every 2 weeks. It's a very controlled roll out, and we can roll
back everything or specific projects, but it churns mightily.
> I guess I'm just thinking that we should all take half a step back and
> start asking the basic "should this be connected to that?" question again.
I agree. My response was to you're "what excuse do they have" question. In
my specific industry, they have a bunch. Most other industries don't make
every single dollar based on timely, accurate, electronic information. When
your entire business is manipulating flows of information, based on other
flows of information, limiting who can see what is a very tough job. Not
impossible, but extremely difficult, and very expensive.
-- Carson _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards