This is a classic "perfect world" versus "real world" scenario. I think
Chris Blask nailed it on the head earlier when he said we have to
acknowledge (and live with) the limitations of what we have while
working to build something better. That's a challenge to be taken
individually AND as a collective.
Generally, I preach risk management rather than hard-line security,
because it is language that upper management tends to understand (even
better than ridicule and abuse, plus you tend to not get fired as often
;-)). Maximum risk reduction is always going to be a moving target, but
any reasonable security policy is based on a plan-build-analyze-improve
model that even the most curmudgeonly executives can buy into.
The biggest challenge is that we have to live with the tools (and
budgets) we have, so a holistic approach is always going to be better
than the more common approach of over-investing/over-relying on a single
box with the latest gee-whiz features. This has probably contributed to
more problems than just about anything else, IMO.
Rather than praying/whining/demanding for folks in the security industry
to "get it right," we need to start now by putting (or, in many cases,
simply turning on!) security everywhere (endpoints, gateways, servers,
appliances, routers, switches, what-have-you), get these bits-and-pieces
talking to each other whenever and wherever we can, and at the same time
ensure that our Moms can still download pictures of their grandkids
without having to call us for tech support (I, for one, would REALLY
appreciate that!)
-bill
-----Original Message-----
From: firewall-wizards-admin_at_honor.icsalabs.com
[mailto:firewall-wizards-admin_at_honor.icsalabs.com] On Behalf Of Mark
Tinberg
Sent: Wednesday, June 01, 2005 11:17 AM
To: Marcus J. Ranum
Cc: Paul D. Robertson; Fritz Ames; Ben Nagy;
firewall-wizards_at_honor.icsalabs.com
Subject: Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 31 May 2005, Marcus J. Ranum wrote:
> They're sensitive to ridicule and abuse. They're impervious
> to clues.
While I appreciate the sentiment, I don't think that approach will work
for everyone. Not everyone is curmudgeonly enough or has the cojones to
enter into an adversarial relationship with their superiors. I don't
want
that kind of stress and tension in my life, at my work, putting out
fires
is less stressful for me.
I'm lucky that my bosses are largely intelligent people with whom I can
discuss problems and often-times come to a better solution than what I
had
originally proposed. Sometimes we disagree, and my bosses are wrong
8^),
but part of my job is that when a decision is made above my pay-grade,
to
do what I'm told. I suppose I could quit every other month when
something
doesn't go my way, like a petulant child, but that doesn't seem
productive
to me.
At least that's how I see it. I know that some people will and some
won't
understand where I'm coming from, but I thought the statement should be
made, as an FYI, not so much as a discussion.
- --
Mark Tinberg <MTinberg_at_securepipe.com>
Network Administrator, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFCne1wFu7F5OUjbGcRAtooAJ0bjK4/4fLMwwFFjgObl6wv5uFBlwCgyIDb
JhaSOj0FKAhIi/ngzfk9lr8=
=te14
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jun 01 2005
Intro
