On Thu, 17 Feb 2005, Dave Piscitello wrote:

> Date: Thu, 17 Feb 2005 07:09:50 -0500
> From: Dave Piscitello
> To: Paul D. Robertson ,
> firewall-wizards-admin@honor.icsalabs.com

I'm assuming the follow-up was meant to be on-list...

> I see I've missed much while I've been away.
> Don't connect isn't the first consideration you should make.
> It's a conclusion, one you should draw once you identify the
> risk/threat. You correctly conclude that power grids are too easily
> threatened and the risk too great to connect via VPNs.

It's the first network security consideration. Security works by denying
access, don't connect is the first and most effective barrier- so it's
best to start at the "top" and work down.

If I can answer the "Do I need to connect this?" then I can start looking
at the business issues if I do- but there's no point in going down that
road if I don't need to.

> Don't connect is not a business directive, either; in fact it flies
> in the face of mobility and roaming initiatives every IT security
> staff must contend with.

Of course it's not a business directive, it's a security directive. Just
because people *want* everything connected doesn't mean that they all get
a blanket pass to wire everything up to everything else. IT security
staff should contend with it like everything else- through a process that
starts with "is this a necessary evil?"

> You can't blame the Holland Tunnel when someone uses it to drive into
> NYC and rob a bank. There's no admission control. Similarly, you
> can't blame VPN tunnels when there's no admission control.

Ah, but if there was no tunnel, then there'd be no robbery through that
vector. That's the essence of it- security works by denying access. So
the security process *must* *start* with evaluating the need for access at
all. From there we can go to "how much more than none?" but to start
anywhere else is to automatically lose valuable ground.

> Having said this, I would conclude as you have Paul that even with
> admission control, I would probably say "don't connect anyone to a
> power grid network using VPN". But I would conclude differently for
> user access to B2B and B2C information stores.

For B2B, I'd start with the same question- because I'm not sure my users
need access to B2B resources directly. For B2C, I'd again start with the
same premise, then work forward from there. Because, for instance I don't
want my customers on my manufacturing network- it may very well be that
hooking the product extrusion system to that Web server to have the
customer's order tracked quickly is something "good" from a business
perspective- but it may be that building a separate RFID tracking system
hooked to the shipping warehouse door means that my production plant
doesn't take the exposure risk and produces the same result.

Just because there's a business case for something doesn't automagically
mean that that case is the right thing to do.

I've shot down *lots* of "great for one department" business cases because
I have a fiduciary responsibility for an entire corporation. That
responsibility means that I have to evaluate the risk starting at the
"should this be connected" and work down from there. Often that means
"sure but in this way, not the easy, cheap and simple one.

Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
firewall-wizards mailing list