Re: [fw-wiz] VPNmadness gets more support;

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 02/17/05

  • Next message: Ofir Arkin: "[fw-wiz] xprobe2 v0.2.2 released" 
    To: Dave Piscitello <dave@corecom.com>
Date: Thu, 17 Feb 2005 11:27:08 -0500 (EST)

    On Thu, 17 Feb 2005, Dave Piscitello wrote:

    > Date: Thu, 17 Feb 2005 07:09:50 -0500
    > From: Dave Piscitello <dave@corecom.com>
    > To: Paul D. Robertson <paul@compuwar.net>,
    > firewall-wizards-admin@honor.icsalabs.com

    I'm assuming the follow-up was meant to be on-list...

    > I see I've missed much while I've been away.
    >
    > Don't connect isn't the first consideration you should make.
    >
    > It's a conclusion, one you should draw once you identify the
    > risk/threat. You correctly conclude that power grids are too easily
    > threatened and the risk too great to connect via VPNs.

    It's the first network security consideration. Security works by denying
    access, don't connect is the first and most effective barrier- so it's
    best to start at the "top" and work down.

    If I can answer the "Do I need to connect this?" then I can start looking
    at the business issues if I do- but there's no point in going down that
    road if I don't need to.

    > Don't connect is not a business directive, either; in fact it flies
    > in the face of mobility and roaming initiatives every IT security
    > staff must contend with.

    Of course it's not a business directive, it's a security directive. Just
    because people *want* everything connected doesn't mean that they all get
    a blanket pass to wire everything up to everything else. IT security
    staff should contend with it like everything else- through a process that
    starts with "is this a necessary evil?"

    > You can't blame the Holland Tunnel when someone uses it to drive into
    > NYC and rob a bank. There's no admission control. Similarly, you
    > can't blame VPN tunnels when there's no admission control.

    Ah, but if there was no tunnel, then there'd be no robbery through that
    vector. That's the essence of it- security works by denying access. So
    the security process *must* *start* with evaluating the need for access at
    all. From there we can go to "how much more than none?" but to start
    anywhere else is to automatically lose valuable ground.

    > Having said this, I would conclude as you have Paul that even with
    > admission control, I would probably say "don't connect anyone to a
    > power grid network using VPN". But I would conclude differently for
    > user access to B2B and B2C information stores.

    For B2B, I'd start with the same question- because I'm not sure my users
    need access to B2B resources directly. For B2C, I'd again start with the
    same premise, then work forward from there. Because, for instance I don't
    want my customers on my manufacturing network- it may very well be that
    hooking the product extrusion system to that Web server to have the
    customer's order tracked quickly is something "good" from a business
    perspective- but it may be that building a separate RFID tracking system
    hooked to the shipping warehouse door means that my production plant
    doesn't take the exposure risk and produces the same result.

    Just because there's a business case for something doesn't automagically
    mean that that case is the right thing to do.

    I've shot down *lots* of "great for one department" business cases because
    I have a fiduciary responsibility for an entire corporation. That
    responsibility means that I have to evaluate the risk starting at the
    "should this be connected" and work down from there. Often that means
    "sure but in this way, not the easy, cheap and simple one.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Ofir Arkin: "[fw-wiz] xprobe2 v0.2.2 released"

    Relevant Pages

    • RE: Is IDS/IPS worthless?
      ... primary business is theirs, and other people's money, calculate technology ... role and costing of technology in a business. ... Different businesses have different teams that look into the value of risk ... Most banks now have IT security savvy staff within their audit teams - I ...
      (Focus-IDS)
    • ISO 27001 Newsletter: Edition 17 Released
      ... The latest issue of the newsletter covering the ISO information ... news and background with respect to the ISO security standards. ... Trials and Tribulations of an Information Security Officer ... Business Continuity Management: Preparation and Risk ...
      (comp.security.misc)
    • Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
      ... If the desktop-based AV they buy doesn't detect the malware ... But the malware really shouldn't make it onto the network ... and therefore security measures should be kept as ... >>reasons for keeping malware off of systems, business benefit is only one ...
      (Full-Disclosure)
    • Re: Is IDS/IPS worthless?
      ... who think IDS/IPS is a "worthless waste of IT ... business is operating at a lighting speed with the help of ... network security is all about intelligence gathering ... ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-IDS)
    • Re: Defeating Firewalls: Sneaking Into Office Computers From Home
      ... >> the majority of Residential users of ISP. ... some business services that some of the lamer ISP's provide to ... > some cases where this kind of security is necessary, ... a compromise and places the networkat risk. ...
      (comp.security.firewalls)