Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)

• Previous message: Kevin: "Re: [fw-wiz] Lists of IP's we should be blocking"
• In reply to: Marcus J. Ranum: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Next in thread: Jim Seymour: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Reply: Jim Seymour: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sun, 12 Dec 2004 12:18:47 -0500 (EST)

On Wed, 8 Dec 2004, Marcus J. Ranum wrote:

> Devdas Bhagat ruthlessly trolls for rants with this bait:

And it worked...

> >Then users need to accept a small bit of slowing down as the cost of
> >security.
>
> That is just so much boolah and we all know it.

Unfortunately, it would appear that many of the collective us don't know
it...

>
> "Performance" is the first money-wrench that users
> reach for when they are trying to come up with an
> excuse to blockade security. I have yet to run into

I've had it tried on my more times than I can count. Where it was an
active concern, I provided some sort of measurement to executive
management- however- my better and standard answer was to point out that
security was *mandated* by the *policy* for what they wanted to do, so if
they wanted to do it _faster_, I'd be happy to spec out faster machines
and more networking gear to meet their requirements should they wish to
budget for it.

Not one single taker. Ever.

> an instance where someone who has complained
> about "poor performance" has ever backed it up
> with measurements. (Except for the instances
> where performance was *zero* because someone
> unplugged a firewall, or put a "block all" rule in
> place) I've seen cases where users didn't realize
> they were behind one of those "slow" proxy firewalls
> until someone told them. Then, of course, it was
> "too slow" and had to be taken out.

I got that once- switched a good-sized organization over to a new proxy
firewall - whine, whine, whine, until they learned that they'd been
*sharing* a slower system with another organization for several years, and
now they had 1/2 the users and probably 5x the system resources.

Half-clued admins are fun to LART.

> That's not to say that various security implimentations
> don't have some kind of performance impact! I'm sure
> that they do. What honks me off, however, is that
> the performance argument is widely accepted in
> spite of the fact that it's never measured. In the
> absence of measures, one might as well use
> feng shui or dowsing as a means of designing one's
> network - it's just as scientific.

I abhor measurement, and always try to budget for enough capacity that I
don't have to do it until I'm near the end of the lifecycle.

>
> "You must install a proxy firewall this week;
> the moon is in the 3rd house and the
> router is ascendant. That means that since

I don't like Ascend routers :-P

> our T1 goes north-south we need to
> sacrifice 3 black roosters to keep the
> hackers out."

Or you could just get on the fiber ring... circles have more natural
energy...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Kevin: "Re: [fw-wiz] Lists of IP's we should be blocking"
• In reply to: Marcus J. Ranum: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Next in thread: Jim Seymour: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Reply: Jim Seymour: "Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]