Russ, --- On Fri, 17 Apr 1998 19:04:02 -0400 Russ <Russ.Cooperat_private> wrote: >>In many ways it would be nice to have some universal sort of way to >>explain policy to devices, but in doing so machine misinterpretation >>of that policy might distribute errors to multiple devices. > >Well, there are pros and cons here. I might prefer to have the same >error throughout my environment rather than having the potential to >create errors in numerous independent implementations. I agree to the extent that it might be acceptable to have the same error in all devices of the same type (e.g. firewalls). > >If I misconfigure and open a hole, I do so everywhere using a common >policy deployment. If I don't, I multiply the times of opportunity to >introduce a hole (each configuration introduces another opportunity), >and reduce the possibility of discovering it myself (because I have to >audit numerous implementations). Agreed. This clearly is why some sort of universal policy editor or some such thing might be nice. > >>I'm far from saying that I have even a really strong clue how to deal >>with this in a clean way, but too tight a coupling could lead to a >>serious problem, as I see it. > >Well, I won't argue your "serious problem", but maybe we need to define >serious better. I would end up with a more "wide-scale problem" using >mass policy deployment. That could possibly lead to an increased >opportunity for exploit. The issue here is greater than that as I see it. Marcus talked about IDSs as a way to discover whether a firewall is implementing policy the way one wants. For this reason, if they are configured in tandem, a "policy leak" might be created. That is, an error in the firewall configuration might not be detected by the IDS because of a similar configuration error there. > >On the other hand, if I only have to monitor a single policy >configuration method, I might be able to do a better job of it. For >example, instead of having to have a Firewall Administrator at every >site, I might be able to take half as many bodies and place them in a >central Firewall Operations Center (FOC), and then use an approval >policy that has configuration changes signed off by multiple >individuals. Yes, sure. This is a very big win. If you have a good verification system as you propose (and if the organization is large enough to have that many knowledgable firewall folks), it would probably mitigate the problem. You understand that "the buck must stop" at a human, but too many organizations with whom I deal seem to trust the software too far. > >If the process is automated, then the same theories apply to the process >that modifies how the AI deals with things. > >Cheers, >Russ Cooper --john ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjmat_private> Writer and Computer Consultant -------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:42 PDT