Re: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
From: George Capehart (capegeo_at_opengroup.org)
To: firstname.lastname@example.org Date: Thu, 27 May 2004 17:58:06 -0400
On Wednesday 26 May 2004 06:30 pm, Marcus J. Ranum wrote:
> threats and vulnerabilities are, and whack those. That's a really
> useless approach in the long run. I'd guess that a significant number
> of the firewalls I've seen are being used to knock down "well known
> bad things" instead of "only allow a few good things." I did a talk
> the other day in which I outlined the "old-school" secure firewall
> approach (non-routed networks, proxy everything, default deny, audit
> policy violations) and people in the room were amazed: "None of our
> users would accept that kind of solution!" they cried. Therein lies
> the rub. As long as something so important as security is the tail
> trying to wag the dog, it's not going to go anyplace.
*crawls out from under rock, drags out soap box*
Seems to me this is less a case of security being the tail trying to wag
the dog as it is a case of users being the tail that actually wags the
dog. One must wonder who is running the company. These are policy
issues, for crying out loud! Sounds like it's time to introduce a
certification and accreditation process into those organizations.
Doesn't have to be as rigorous as DITSCAP or SP 800-37 . . . just
something that forces the people in the company who are supposed to be
managing the risk to do so . . . or formally, in writing, accept the
risk that they're *not* managing.
My 0.02 $currency_denomination.
firewall-wizards mailing list