Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)

From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 06/04/05

  • Next message: Nils Vogels: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
    To: Scott Stursa <stursa@mailer.fsu.edu>
    Date: Fri, 03 Jun 2005 18:11:48 -0400
    
    

    Scott Stursa wrote:
    >> - Some of the products we're buying aren't being used
    >> properly
    >
    >"Some"? Don't you mean "most"?

    Geeze. The one time I *TRY* to be nice, people on the list
    don't let me get away with it. I had originally written
    "virtually all" but figured that came across as a bit
    too categorical. ;)

    >> - There is no correlation between cost and effectiveness
    >> of security products
    >
    >There may be, but it's very low.

    There may be, but the presence of open source alternatives
    really upsets the applecart when it comes to figuring out
    the value proposition of some of these things...

    >Last spring we completely re-engineered the network for a large school
    >here at the university. I redesigned the network to put different
    >populations of hosts into separate network segments; internal-use-only
    >servers on one, desktops on another, etc. I implemented port security on
    >the switches so that they can't just walk in an plug in a laptop.

    That's awesome!!!!

    > We put
    >wireless on its own segment and force authentication through a BlueSocket.
    >All these segments are set up on separate VLANs and communicate with each
    >other via a PIX, utilizing the VLAN support introduced in 6.3 code). IRC
    >and "fun" stuff (e.g., msn messenger) are blocked, inbound and out.
    >
    >To a great degree I relied on the principles outlined by you in your "Re:
    >ISO 17799" post to this list on 20 July 2004.
    >
    >This plan put me at odds with my manager (an arrogant young man who
    >considers himself God's Gift to IT), who felt that "our first goal
    >should be to get the network up and stable - we can go back and make it
    >secure later". I countered with, "An insecure network is an unstable
    >network - just ask the [protect-the-clueless] department". He didn't have
    >an answer for that.

    That's because there isn't one! :) That's a great response.
    Security == reliability. Security == performance.

    >So I held my ground and we did it my way. The result - no compromised
    >hosts since then (beginning of March).
    >
    >But I've paid for that. Two months ago he did a performance appraisal on
    >me, giving me the first "unsatisfactory" rating I've received in 26 years
    >of working for the university. I'm on probabtion and having to document
    >literally every minute of my day. Not that it will make any difference - I
    >fully expect to be unemployed when my contract expires in August.

    So you think this is an act of petty revenge from a small-minded
    pissant? It's certainly possible and that happens. :( Presumably
    your University's HR department has mechanisms for appealing
    an appraisal, and it sounds like you have a good track record
    you can point to. It's quite possible that you're going to lose this
    fight, but I sure hope you leave some big scars on the opposition.
    You've got until August to file protests and grievances and make
    as big a stink as possible. Speaking as an ex-manager and ex-CEO
    I can assure you that in most senior execs' minds (those that have
    them) nobody ever "wins" an affair like this. Both parties lose.
    If you make a stink you'll drag his career there down, too. If
    he isn't a complete idiot he'll know that - you ought to try talking
    to him and see if you can work something out.

    >This is the price I'm paying for *not* being a "sissy".

    I know it doesn't help much, but sometimes there is a small
    amount of satisfaction that comes from doing the right thing. I
    hope so, anyhow. It's about the only thing that gets me up in
    the morning, most days. :(

    mjr.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Nils Vogels: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #50
      ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
      (Focus-Microsoft)
    • Re: << SBS News of the week - Sept 26 >>
      ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: << SBS News of the week - Sept 26 >>
      ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
      (microsoft.public.windows.server.sbs)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)