>In many ways it would be nice to have some universal sort of way to >explain policy to devices, but in doing so machine misinterpretation >of that policy might distribute errors to multiple devices. Well, there are pros and cons here. I might prefer to have the same error throughout my environment rather than having the potential to create errors in numerous independent implementations. If I misconfigure and open a hole, I do so everywhere using a common policy deployment. If I don't, I multiply the times of opportunity to introduce a hole (each configuration introduces another opportunity), and reduce the possibility of discovering it myself (because I have to audit numerous implementations). >I'm far from saying that I have even a really strong clue how to deal >with this in a clean way, but too tight a coupling could lead to a >serious problem, as I see it. Well, I won't argue your "serious problem", but maybe we need to define serious better. I would end up with a more "wide-scale problem" using mass policy deployment. That could possibly lead to an increased opportunity for exploit. On the other hand, if I only have to monitor a single policy configuration method, I might be able to do a better job of it. For example, instead of having to have a Firewall Administrator at every site, I might be able to take half as many bodies and place them in a central Firewall Operations Center (FOC), and then use an approval policy that has configuration changes signed off by multiple individuals. If the process is automated, then the same theories apply to the process that modifies how the AI deals with things. Cheers, Russ Cooper R.C. Consulting, Inc. - NT/Internet Security Moderator of the NTBugtraq mailing list http://www.ntbugtraq.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:20 PDT