On Tue, 23 Nov 1999, Crispin Cowan wrote: > I agree that configuration and operational issues are a hard problem to solve. > In general, I don't know how to solve them. My (crass commercial) solution is > that folks who don't really know what they're doing should buy appliances I firmly agree and I'm not even selling anything. <g> The problem here lies in that many work users have systems at home and see no difference between the complete control of their home machines and what they think should be their complete control of their work machines. I worked in a rather large computing facility earlier this year where we were using NetApp filers for central storage. Users vehemently resented the multi-GB quotas and complained by saying "I have a 20GB drive at home, why can't I have one here?" If appliances are put on the desktops instead of real standalone-capable machines, the appliance might be a sufficiently different animal that the users may not be as tempted to make comparisons to their home systems. (I'm speaking generally about PC folks here.) > I'm rather amazed at the existance of the firewall *application* market, where > you buy a firewall product and install it on one of your server machines. How > can such an application install take a pre-installed machine from an unknown > state to a secure state? These applications help to solve a non-technical problem: liability. If ABC Corp. installs a Double-Widget(tm) firewall then they can demonstrate that they practiced 'due diligence' and made a 'good faith' effort to secure the corporate assets; the darn software vendor must be at fault if there is a malicious intrusion. The technical issues are sufficiently obfuscated that the company probably won't be blamed [by the shareholders, etc.] for the lax security: it will now be [in their eyes] the vendor's fault. Sadly, it seems that covering one's own ass[ets] is functionally equivalent to actually practicing real security without all that nasty work and expense. Cheers, Scott scott(a)earth.nexus.net
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:03 PDT