Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)

--- "Marcus J. Ranum" <mjr@xxxxxxxxx> wrote:
This notion that security is a matter of degree is
accurate in the large but inaccurate in the small.
Unfortunately, we're all dealing with the small.

Well, we're all really dealling with both. Infosec is like
(not even "like", it "is") crime-fighting, and you can't
fix national crime rates without the cops on the street.

o The small - Anyone who has actual professional
assistance (cops, PIs, secret service...) dealing with
their crime situation should have a high level of
confidence in their measures, or they should fire their

- in infosec, we are the "pros". Where someone employees
one of us directly we should make them very safe.

o The large - All the rest live in a statistical world of
crime prevention where their safety has more to do with the
statistical success of pros and the folks who support them.

- As we all know, that is a measurable science - crime
rates are high or low for demonstrable reasons (but they
are never 0%).

o The macro issues are all we can manipulate to protect the

- what kind of homes/cities people live in; best practices
at all levels; tools and methodology for crime-fighting and
non- activities - when these are better or worse it makes a
real difference to vast numbers of real people.

- getting better products, architectures and best
practices (Good Memes) into the infosec ecosphere may not
save any particular network, but it could lower the number
of victims or have some other positive impact on the
average threat profile.

If I haven't lost everyone with analogies yet, all I mean
is that not all of the Siblings here combined will ever
touch every network and make it whole. So while we should
all be personally offended and disgusted if anyone ever
cracks a network we took responsibility for (the small), we
also shouldn't lose sight of the aggregate goal of making
the whole thing acceptably safe in the end (the large), no
matter how slippery a pursuit it is.



firewall-wizards mailing list