>>>>> "Chris" == Christopher Nicholls <chrisnat_private> writes: >>>>> "Jody" wrote: Jody> I refer to this as the Mojo Bag Theory of Firewall Purchase. The Jody> idea is that you buy one and just having it keeps away the evil eye. :-) Jody> (Burning incense in front of the firewall may or may not be a "best Jody> practice", depending on the particular shaman, er, consultant, that you Jody> call in to do the eval.) Chris> I couldn't agree more. Further, I think one of the most alarming Chris> trends developing is the movement towards "shrink-wrap firewalls" - Chris> buy now pay later! If ever there was an item not to be bought Chris> off-the-shelf, it's security. Maybe one day we will be able to use Chris> self configuring f/w "..yessiree, just plug in your security policy Chris> here Mr Customer... you don't have one? Never mind - use our default Chris> virtual policy!". Sounds a bit like the beginnings of a very Chris> interesting 1 April prank... I'm speaking from some obvious corporate biases here, since my employer is probably one of the companies you are speaking of. What you're really paying for when you hire a security consultant is *expertise*. Now, good judgement comes from experience (and experience comes from bad judgement, but that's another story ;). Now, do security consultants build each and every security policy and configuration from scratch? Probably not if they want to make money. What they will usually do is grab some solution from a similar situation they saw in the past and modify it for the local configuration. This is a good thing. The customers are paying for someone with experience and expertise, and wasting the customers money and the consultant's time reinventing the wheel is silly at best and borderline unethical at worst. Given that, what's wrong with encapsulating experience and expertise into software? Or to ask the question another way, what aspects of security systems are resistant to encapsulation into software? If you compare firewall unit sales with internet growth, it looks probable that only about ten percent of the potential customer base are purchasing firewalls of any kind. Can anyone argue with a straight face that that ninety percent is better off with no security software at all? Chris> But how do you convince the MIS Manager that 1) this is ot a good Chris> approach, 2) you (the consultant) are not just holding the high Chris> intelectual ground to prevent them from such implementations and 3) IT Chris> security is not talismans and incense? Most customers I've seen have no equivalent of an MIS manager. Many of them don't even have an on-site network administrator. I'm not saying that they don't *need* such people, but the reality is that a lot of organizations who are connecting to the internet There are a lot of clueless people deploying large internets these days. You probably don't have to look much further than your local government to find horrifying examples. How do we help these people? Remember that most of them can't (or won't) drop a thousand bucks a day to have some high-hat security guy come in and tell them how to run their network. Chris> A firewall is not a means unto itself - it is only the proverbial tip Chris> of the (security) iceberg. Certainly true. Consider that if a firewall is easier to configure and manage, there might be more time and more resources available for the rest of the iceberg. David Bonn CTO, WatchGuard Technologies, Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:01 PDT