>Ben Nagy <[EMAIL PROTECTED]> says:
>
>Where does the problem lie? Why is it that so few people in the "real world"
>are aware of security issues, or are prepared to take them seriously?
>Sometimes I don't know if all of us security guys are just paranoid freaks
>or if the industry at large are starry-eyed lambs romping into the big happy
>safe Internet which is there for the good of all. Doesn't writing firewall
software that won't let you do things because in the opinion of firewall
>vendors "that's bad" sound wrong to you guys?
I believe part of the problem lies in the natural human response of not
wanting to recognize issues until they become a problem. A lot of
businesses do not take security seriously until there is an incident. Then
they react to the incident.
One observation I see is a lot of people get bogged down in examining the
details of specific protocols and end up asking the wrong question e.g. is
this protocol secure? That is really the wrong question to ask. I was in a
customer meeting once and they were arguing about what protocols to allow
into their network from the Internet and why some protocols were bad or
poorly designed.
I brought everyone up short by asking "what are you trying to protect?" If
you have little of value to protect then your security measures will be
quite different than if you have extremely valuable information to protect.
This particular customer had not ever asked that question.
Another problem is getting a customer to take risk assessments seriously.
There is no foolproof security. Security is all about evaluating risk and
then taking responsibility for whatever decision you make. If your
business needs require you to run a certain application thru your
firewall then you need to own up to the risks associated with that hole you
have created and take ownership of the risk. Often times corporate
management dictates the IT staff do the impossible and reduce risk to zero,
but allow inherently insecure application thru their firewall.
I believe firewalls are a useful technical tool for implementing a security
policy, but they are not the only tool and they can be abused and overused.
Smoot Carl-Mitchell
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
