Re: [fw-wiz] PCI DSS & Firewalls


Wouldn¹t it be nice if we all lived in Marcus¹ world? Perhaps we ought to
just mandate that everyone scrap their current networks and have Mr. Ranum
come in and redesign them from the ground up. We would clearly end this
issue of security breaches once and for all.

In the meantime, we really ought to be helping folks move from WHERE THEY
ARE to WHERE THEY NEED TO BE, even if it¹s in incremental baby steps, based
on ability, budget, and sensitivity to risk. This is the world that Chris
and I live in, and until Marcus¹ parallel universe overtakes our own, this
is the battle we all must fight.

Is that a nod for mediocrity? Hardly. The reality is that, incompetent or
not, many IT managers are doing the best they can with what they have, with
real constraints on what they can do next, and need our help within that
context. Short of a Ranum dictatorship, we really need to recognize that
wide-eyed idealism, however well-intentioned, is never a reasonable
replacement for dealing with the vagaries of the reality we actually


On 4/3/09 8:31 AM, "Chris Blask" <chris@xxxxxxxxx> wrote:

Marcus J. Ranum <mjr@xxxxxxxxx>, Friday, April 3, 2009 9:06:53 AM

Chris - you're better than this. Stop being an apologist for

I wouldn't put it that way myself, but I also wouldn't argue the fine points
of the definition. We live in a world of varying perfection and - while it is
a wonderful thing to effect perfection where possible - it falls on us to
devise solutions that also have a positive impact on mediocrity and even,
where possible, function in the presence of incompetence. It wouldn't be
defensible for me to take this position unless there were others out there
railing for perfection, but we're never short of such voices in our field..

All of us understand that you can do a half-assed job, or that
you can throw up your hands and say "things suck but I'll do the
best that I can in the circumstances." We all know that. But
please don't adopt defeatism as policy.

I leave it for others to judge, but I would hope that accepting defeatism is
not a descriptive that would apply to me. Rather, I would say that I accept
situations the way they are when I show up and do what I can to improve them.
Whether it is accurate to say that a given situation sucks is a qualitative
judgement that really requires a great deal of insight into the back story
regarding how it got to the current state, and whether through lack of
patience or attention span (I embrace my ADD) I only care about the past as it
applies to the options for the future.

Sure I often find myself in the position to be accused of 'defending
mediocrity', but it's not in the context of giving up and accepting defeat.
It's just the only way I know to limit the options I focus on to the ones that
could actually appear in the real world.


