Re: [fw-wiz] iso 17799

From: R. DuFresne (
Date: 07/22/04

  • Next message: InHisGrip: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
    To: Dana Nowell <>
    Date: Wed, 21 Jul 2004 23:21:46 -0400 (EDT)


    > OK, so I have a clue, you have a clue, Paul has a clue, and I'd bet several
    > others around here have a clue, let's find a way to share. That's all I'm
    > recommending. I think if we don't share now the marketing droids will win
    > (yeah, OK probably will anyway) and we will get 'standards' then we will
    > have to battle the standards where they don't make sense (remember
    > everything tunneled over HTTP anyone :-). Either way, it's time to share
    > ammo and concentrate fire, it's a target rich environment and I'm having
    > trouble choosing some days. Assuming we can agree to share, the real
    > problem is what and how do we share. Any suggestions? Should it be a new
    > subject? Should we forget it (is the list enough)?

    Though it hasn't been updated in sometime, I bet the firewalls-faq is
    still available online.

    There are tons of books on firewalling and basic security techniques, I
    must have 15 or 20 in my bookcase, some in the second edition like
    "Firewalls and Internet Security" by Cheswick, Bellovin, and Rubin.

    Most *nix's have various documents explaining how to setup varioous
    security components, man pages, README's, FAQ's.

    Most al of these are based upon the points Marcus posted to this thread
    one or two posts back, all fine points well known and documented and
    available to one and all for ten years or more. If there are standards,
    or basic principles those Marcus listed are pretty much it. The thing is
    though, no one wants 'standards', no one really wishes to follow the
    basics, gawdman, this is the IT field afterall <smile>, it's bleeding edge
    or nothing. everytime someone is advised that what they wish to do is
    risky and will be making swiss cheese of their network, there's a little
    voice in the back of their heads that tells them "the risk can be
    minimised" or "your too small to be a target, your hiding in a haystack of
    numbers afterall". Or worse yet, there's a voice in there bvosses ear,
    perehaps a sales lizard marketing the doo-dad, and claiming that it's
    slved all security risks with it's proprietary GUI, triple wep encrypted
    internal routing scheme can statefully-proxy anything tossed at it while
    probing each packet for nsaties not yet developed, so you too can pass
    everything that can be enveloped in any http packet, including all those
    nasty microsfot ports that 'were' once unsafe to pass internet wise. and
    of course then the boss gets you a new toy and tells you to fix it so he
    can control his toaster and TV and fridg from his desktop while IM'ing
    with his golf buddies and checking his savings from his desk at work, and
    you get to put it <the new toy> to work, so he can -=work=-.

    The standards exist, but, what fun are standards that prevent one from
    pushing the envelope of insanity?


    Ron DuFresne

            admin & senior security consultant:
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    firewall-wizards mailing list

  • Next message: InHisGrip: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"

    Relevant Pages

    • Re: The New ISO Hacking Standard
      ... will you need to pay to get copies of it like you do for other ISO ... talks about the Open Source Security Testing Methodology Manual. ... So why is the International Standards ... Italy have had their eye on the OSSTMM for years. ...
    • RE: OSSTMM how good is it?
      ... I believe the OSSTMM is a good framework, in an industry with few public ... it is probably one of the few standards the customer can get for ... It is good because it challenges the perception that many IT Security ... Download FREE whitepaper on how a managed service ...
    • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
      ... Compliance Is Wasted Money, ... How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? ... Lastly, that is where you are wrong, there is no "base starting point" companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. ... The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC!!! ...
    • Re: Standards for penetration testing
      ... an organisation's information security maangeemnt system and I think is well ... Subject: Standards for penetration testing ... Therefor I'm looking for widely used standards in this area. ... > pen testing experience in our state of the art hacking lab. ...
    • The ISO 27001 Newsletter: Issue 18 Published
      ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer Part 2 ...