Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: "firewalls are obsolete" rant
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 30 Jan 2006 10:54:31 -0500

Subject: RE: [fw-wiz] "firewalls are obsolete" rant

He actually has what sounds like a reasonable, work-related reason for
wanting to access a 
technically-related IRC network/channel.  I told him if he wanted to use a
Unix/Linux client 
approved by I.T., we could discuss it.  But no client/desktop systems,
particularly those 
from a Certain Large Software Company, and *certainly* no client/desktop
systems over which 
the end-user has admin rights.

We just went down this road last year.  It was not pretty.  But, this is an
excellent example for those list readers who are ivory tower consultant
types that think the infosec tail should wag the money-making dog. ;-)
Business "needs" will trump security standards, forcing security
practitioners to build controls for those exceptions.  

Being honest, if I had it to do over again, I would've fought harder to keep
it out.  What we came up with* mitigates the threat of bots and other
unauthorized clients getting back to an irc server outside our network, but
we wasted lots of time and energy to get there, all so a handful of people
didn't have to use e-mail to collaborate.  And since I can audit the
conversations that take place, I also know how much it's used.  We're still
"upside-down" on the value proposition that was used to argue for it.


* Happy to talk about this off-list if you're still in need of ideas.

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]