At 17:48 1/04/98 -0500, Adam Shostack wrote: >Christopher Nicholls wrote: > >| I couldn't agree more. Further, I think one of the most alarming trends >| developing is the movement towards "shrink-wrap firewalls" - buy now pay >| later! If ever there was an item not to be bought off-the-shelf, it's >| security. Maybe one day we will be able to use self configuring f/w > > I disagree strongly, unless you agree to add the word "today," >so that the sentence reads '...not to be bought off-the-shelf >today,...' then sure. But we need to move to a situation where new >products come with security because its one of those things that >engineers think about when building the toolkits that companies use to >build products. Today yes, that is why I said "...Maybe one day...". I was suggesting that software cannot do it alone, and that many MIS managers are not able to discern against good, bad, and indifferent firewall and security products. To make the selection of such complex systems a matter of a supermarket decision is anathema. Today. Actually I rather like the idea of "secure applications" that MJR was suggesting a while back... > > Adding security on after a product is developed costs about >ten times as much as adding it during development. Adding security >after deployment is nigh well impossible. You may add client >authentication, hijack resistance, and some other stuff, but if your >application has no security, then it may not doa lot of good. Adding security? I wasn't suggesting adding security... adding good policies, commonsense and expert advice yes - and some sound education so that MIS managers are able to be more across these issues - *prior* to selection and implementation. There are a number of significant products out there which can competently protect our networks, but the implementation of them is one area in Information Systems which needs a lot of work, and the trouble is, there is a great deal of pressure being put on MIS managers by senior management to get Internets and Intranets up and running quickly, thus exacerbating the problem of selection and implementation of firewalls. There are plenty of examples of highly regarded f/w systems badly implemented or severely compromised by lack of knowledge, all for want of good management, sound IT security policies, and monitoring. I don't see any products at this stage which can write their own security policies...;-) > >| 2) you (the consultant) are not just holding the high intelectual ground to >| prevent them from such implementations and 3) IT security is not talismans >| and incense? > >You do this by making security more than talismans and incense. This >requires an engineering process that doesn't often result in things >like Biham's recent crack of X9.52. Security is not often engineered >toda, which means that management perception of it is reasonably >accurate as talismans and insense. I partially disagree... I see this as part educative and part software engineering. Neither by itself can achieve the goal completely. I take your point about management perception - they do tend to see it all as smoke and mirrors, but this should be addressed by sensible information - not marketspeak, nor technospeak. That is what I was getting at by my reference to the "high intelectual ground". > >| A firewall is not a means unto itself - it is only the proverbial tip of >| the (security) iceberg. > >ok, we can agree on this. :) Mmmm... that was the basis of my point. Regards Christopher ----------------------------------------------------------------------------- Christopher Nicholls chrisnat_private ~~~~~~~ chrisnat_private ----------------------------------------------------------------------------- m: 0411 454755 w: +61 2 6243 4834 h: +61 2 6241 2112 wf: +61 2 6243 4848 hf: +61 2 6241 8926 ---------------------------------------------------------------------------- -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:00 PDT