Re: [fw-wiz] iso 17799
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 07/21/04
- Previous message: Stewart, John: "RE: [fw-wiz] Radio Ethernet Modem Experiences"
- Maybe in reply to: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"
- Next in thread: Dana Nowell: "Re: [fw-wiz] iso 17799"
- Reply: Dana Nowell: "Re: [fw-wiz] iso 17799"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Dana Nowell <DanaNowell@cornerstonesoftware.com>, "Paul D. Robertson" <paul@compuwar.net> Date: Wed, 21 Jul 2004 15:58:35 -0400
Dana Nowell wrote:
>Thanks for the list, but methinks your rant missed the point. :-).
No, I understood your point. I just don't think education is the
issue. :)
>Having worked in several micro start-ups
>and small companies throughout my career, I can assure you they don't buy
>$100,000 doo-dads.
Uhm, I know. I've done start-ups too.
> In fact the entire operations budget (host, network,
>security, etc) MIGHT be $100,000/yr including salaries.
Right, then you're small enough to approach security
as a non-technical problem and actually solve it. By
making sure your users are controlled, your network
is tight, and your security is not a problem. It's only
the big companies that are so pervasively populated
with stupid middle managers and C-level execs that
they can afford to buy $100,000 doo-dads. If you're
small, you're small enough to implement simple
proxy servers, segment your network, etc. It's much
easier to overcome office politics and layer 8 issues
in a small company.
> So I think your
>definition of small company and my definition of small company are
>different (hint, if you need to use your fingers AND toes to count staff,
>you are closing on the upper limit, borrow Paul's too and we're more than
>covered ;).
Hey, I used to be able to fit my entire company's
staff AND a case of beer in a small hot tub. "Been
there, done that."
>Maybe where you work, a $100,000 doo-dad
Maybe you need to go back and actually read my posting.
Or, perhaps it was so badly written that you managed to
get the exact opposite message from it than I intended. :(
I was *trashing* the idea of the $100,000 doo-dad. It's a
stupid approach. Did *ANY* of the "good practices" I
post say "buy a $100,000 doo-dad"? They were all "do
this" "don't do that." Most of the ideas I was recommending
are cheap to implement technically, though often costly
in terms of organization and office politics (which scale
as the organization scales)
>The push for standards by the marketing weenies has always existed. As you
>state, because it helps them gain control over the market. BUT there is
>now push for standards from the customer/geek/CEO and not because they want
>the vendor to control the market. It's because they need help, any help in
>getting a handle on direction.
I see little evidence of that.
In fact, the trends I see in the industry are largely contrary to what
you assert. Can you explain the basis of your belief?
>Oh, and for the record Marcus, we are outbound only, have a DMZ, and
>consider the DMZ pre-poisoned whenever feasible. Handle attachments at the
>gateway, use a mix of stateful and level 7 service handlers. Disallow new
>protocol/service requests as a matter of course until a justification is
>made. We DO NOT ALLOW mobile users direct access to the internal network,
>they get a VERY few services (like mail) and are on a different logical
>subnet with different firewall rules (in fact we export EXACTLY 4 services
>to the public and about 6 to mobile users). We use default deny. We use a
>centralized antivirus install that autoupdates the desktops as patches are
>provided by our vendor (about a 10 minutes delay) all automagically, even
>nights and weekends. We use centralized mail services that do SPAM and
>attachment handling. We are small enough that almost all firewall traffic
>is logged, certainly ALL inbound traffic is logged. All logs are
>autoscanned via cron each night and a summary is emailed to me and several
>others (vacation issue).
SO WHAT IS YOUR PROBLEM? You've done all the "good stuff"
I can think of!! My guess is your security is probably pretty good,
right?
That description you give above is a nice blueprint of a well-secured
network. It's great!! That's how anyone with a clue secures their
network. I bet you survive attacks that whack the stuffing out of
your peers, right? Easily, right?
>As much as I'd like to be unique, the number one, most secure, top of the
>pile, best in the business guy in the industry, I doubt it.
There is no such thing!! I mean, there's the guys who took
bolt-cutters to their network connections and who epoxy
their CAT-5 cables into the jacks, etc. If you asked them,
they wouldn't tell you they were unique or #1, they'd just
tell you they "solved the problem." There's always trade-offs
in doing so. Namely connectivity. But connectivity is vastly
overrated. ;)
>I tend to
>think that if I need information, some other people might like it too, and
>probably several hundred people already have it.
Yeah...
> I spend some time each
>month keeping up, researching patches/bugs, learning about new tech,
>looking at protocols, writing memos on tech, etc. Any repository that
>helps me or helps my admins so I get more time and they still get it right
>is an official 'good thing' from my perspective, but maybe I'm unique.
Clueful people have no problem (apparently you haven't, ergo you
must be clueful!) finding the information they need and making
sense out of it. Clueless people aren't going to use the information
even if you chew it up into a palatable mush and squirt it down
their throats the way a mother bird does for its chicks. They are
beyond help. Don't waste your time on them. Tell them to buy
the $100,000 doo-dad and solve the problem (as you have done)
with a little discipline, some attention to detail, and brainpower.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Stewart, John: "RE: [fw-wiz] Radio Ethernet Modem Experiences"
- Maybe in reply to: avraham shir-el (arthur sherman): "[fw-wiz] iso 17799"
- Next in thread: Dana Nowell: "Re: [fw-wiz] iso 17799"
- Reply: Dana Nowell: "Re: [fw-wiz] iso 17799"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
