On Thu, 2 Jun 2005, Marcus J. Ranum wrote:

> Bill McGee (bam) wrote:
> >This is a classic "perfect world" versus "real world" scenario. I think
> >Chris Blask nailed it on the head earlier when he said we have to
> >acknowledge (and live with) the limitations of what we have while
> >working to build something better. That's a challenge to be taken
> >individually AND as a collective.

> I must disagree.
> As I read your posting, I had to take a couple of deep breaths
> because it triggered a really strong emotional response in me,
> and I wasn't sure why.

Likewise yours triggered a strong response in me, and I know exactly why.

Not that I disagree with you - I don't. In fact, I've had a lot of respect
for you since attending the IDS tutorial you gave at the 2000 USENIX
Security conference.

Plus, like me, you own a Harley (yours may be prettier, but I'm sure mine
is faster).

And I agree with most of your post; where I have an issue is with the
"standing up to the manager" bit.


> Some possibilities:
> - Some of the products we're buying simply don't work

Too true.

> - Some of the products we're buying aren't being used
> properly

"Some"? Don't you mean "most"?

> - There is no correlation between cost and effectiveness
> of security products

There may be, but it's very low.

> To me, the stellar example remains the whole firewall
> "debate" of the early 1990's. Let's not beat around the
> bush: convenience kicked security's ass in 1994 and
> has been kicking it ever since. Yes, there are lots of
> perfectly good-sounding "business justifications" for
> doing it, but today's firewalls let too much stuff back
> and forth. To me, the fact that organizations with
> firewalls continue to get brutally hacked is empirical
> proof of that view.

I've audited a number of FWs here (mostly PIXs) and most have rulesets so
loose that running the firewall is pointless.

> I know a handful of organizations
> that have very strict firewalls with draconian and
> unpopular rulesets - and they simply don't get
> hacked.

That's true for the one I administer. They've not been hacked since I took
it over, but they complain about not being able to do msn messenger.

> I am totally sympathetic to the plight of the security
> practitioner who isn't willing to put his job on the line
> by telling the CTO he's a moron. I completely understand
> why people feel they need to compromise. But I still
> think compromise is for sissies.

THIS is what got me riled.

Last spring we completely re-engineered the network for a large school
here at the university. I redesigned the network to put different
populations of hosts into separate network segments; internal-use-only
servers on one, desktops on another, etc. I implemented port security on
the switches so that they can't just walk in an plug in a laptop. We put
wireless on its own segment and force authentication through a BlueSocket.
All these segments are set up on separate VLANs and communicate with each
other via a PIX, utilizing the VLAN support introduced in 6.3 code). IRC
and "fun" stuff (e.g., msn messenger) are blocked, inbound and out.

To a great degree I relied on the principles outlined by you in your "Re:
ISO 17799" post to this list on 20 July 2004.

This plan put me at odds with my manager (an arrogant young man who
considers himself God's Gift to IT), who felt that "our first goal
should be to get the network up and stable - we can go back and make it
secure later". I countered with, "An insecure network is an unstable
network - just ask the [protect-the-clueless] department". He didn't have
an answer for that.

So I held my ground and we did it my way. The result - no compromised
hosts since then (beginning of March).

But I've paid for that. Two months ago he did a performance appraisal on
me, giving me the first "unsatisfactory" rating I've received in 26 years
of working for the university. I'm on probabtion and having to document
literally every minute of my day. Not that it will make any difference - I
fully expect to be unemployed when my contract expires in August.

This is the price I'm paying for *not* being a "sissy".


p.s. Harley for sale - priced for quick sale!

Scott L. Stursa 850/644-2591
Network Security Analyst stursa@mailer.fsu.edu
OTI Enterprise Security Group Florida State University

- No good deed goes unpunished -
firewall-wizards mailing list