RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

From: Bill McGee (bam) (bam_at_cisco.com)
Date: 06/02/05

  • Next message: Chuck Swiger: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
    To: "Mark Tinberg" <mtinberg@securepipe.com>, "Marcus J. Ranum" <mjr@ranum.com>
    Date: Wed, 1 Jun 2005 16:03:03 -0700
    
    

    This is a classic "perfect world" versus "real world" scenario. I think
    Chris Blask nailed it on the head earlier when he said we have to
    acknowledge (and live with) the limitations of what we have while
    working to build something better. That's a challenge to be taken
    individually AND as a collective.

    Generally, I preach risk management rather than hard-line security,
    because it is language that upper management tends to understand (even
    better than ridicule and abuse, plus you tend to not get fired as often
    ;-)). Maximum risk reduction is always going to be a moving target, but
    any reasonable security policy is based on a plan-build-analyze-improve
    model that even the most curmudgeonly executives can buy into.

    The biggest challenge is that we have to live with the tools (and
    budgets) we have, so a holistic approach is always going to be better
    than the more common approach of over-investing/over-relying on a single
    box with the latest gee-whiz features. This has probably contributed to
    more problems than just about anything else, IMO.

    Rather than praying/whining/demanding for folks in the security industry
    to "get it right," we need to start now by putting (or, in many cases,
    simply turning on!) security everywhere (endpoints, gateways, servers,
    appliances, routers, switches, what-have-you), get these bits-and-pieces
    talking to each other whenever and wherever we can, and at the same time
    ensure that our Moms can still download pictures of their grandkids
    without having to call us for tech support (I, for one, would REALLY
    appreciate that!)

    -bill

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Mark
    Tinberg
    Sent: Wednesday, June 01, 2005 11:17 AM
    To: Marcus J. Ranum
    Cc: Paul D. Robertson; Fritz Ames; Ben Nagy;
    firewall-wizards@honor.icsalabs.com
    Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Tue, 31 May 2005, Marcus J. Ranum wrote:

    > They're sensitive to ridicule and abuse. They're impervious
    > to clues.

    While I appreciate the sentiment, I don't think that approach will work
    for everyone. Not everyone is curmudgeonly enough or has the cojones to

    enter into an adversarial relationship with their superiors. I don't
    want
    that kind of stress and tension in my life, at my work, putting out
    fires
    is less stressful for me.

    I'm lucky that my bosses are largely intelligent people with whom I can
    discuss problems and often-times come to a better solution than what I
    had
    originally proposed. Sometimes we disagree, and my bosses are wrong
    8^),
    but part of my job is that when a decision is made above my pay-grade,
    to
    do what I'm told. I suppose I could quit every other month when
    something
    doesn't go my way, like a petulant child, but that doesn't seem
    productive
    to me.

    At least that's how I see it. I know that some people will and some
    won't
    understand where I'm coming from, but I thought the statement should be
    made, as an FYI, not so much as a discussion.

    - --
    Mark Tinberg <MTinberg@securepipe.com>
    Network Administrator, SecurePipe Inc.
    Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)
    Comment: For info see http://quantumlab.net/pine_privacy_guard/

    iD8DBQFCne1wFu7F5OUjbGcRAtooAJ0bjK4/4fLMwwFFjgObl6wv5uFBlwCgyIDb
    JhaSOj0FKAhIi/ngzfk9lr8=
    =te14
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Chuck Swiger: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"

    Relevant Pages

    • Re: Station airing "Book of Daniel" receives death threats
      ... >> Bosses at an Indiana TV station posted security outside their studios ... >> on Friday night after receiving death threats for airing controversial ... >> new religious drama Book Of Daniel. ...
      (rec.arts.tv)
    • RE: Re: security not a big priority?
      ... Many security people come from a technical ... and so naturally tend toward technical explanations. ... Some additional things may work with some bosses, ... BigFix ...
      (Security-Basics)
    • Re: Should Security Team Be Split?
      ... currently work in a small team with security strategy, architecture, ... You say that the proposed team would report to different bosses. ...
      (Security-Basics)