mailing list archives
RE: "firewalls are obsolete" rant
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 30 Jan 2006 10:54:31 -0500
Subject: RE: [fw-wiz] "firewalls are obsolete" rant
He actually has what sounds like a reasonable, work-related reason for
wanting to access a
technically-related IRC network/channel. I told him if he wanted to use a
approved by I.T., we could discuss it. But no client/desktop systems,
from a Certain Large Software Company, and *certainly* no client/desktop
systems over which
the end-user has admin rights.
We just went down this road last year. It was not pretty. But, this is an
excellent example for those list readers who are ivory tower consultant
types that think the infosec tail should wag the money-making dog. ;-)
Business "needs" will trump security standards, forcing security
practitioners to build controls for those exceptions.
Being honest, if I had it to do over again, I would've fought harder to keep
it out. What we came up with* mitigates the threat of bots and other
unauthorized clients getting back to an irc server outside our network, but
we wasted lots of time and energy to get there, all so a handful of people
didn't have to use e-mail to collaborate. And since I can audit the
conversations that take place, I also know how much it's used. We're still
"upside-down" on the value proposition that was used to argue for it.
* Happy to talk about this off-list if you're still in need of ideas.
firewall-wizards mailing list
firewall-wizards () honor icsalabs com