>"Marcus J. Ranum" <[EMAIL PROTECTED]> said:
>Everyone's networks are different. I believe that a lot of the
>networks out there that are presently connected to the internet
>shouldn't be. Look at the kind of criminal negligence and
>incompetence that has been revealed at Los Alamos' network.
The Los Alamos network is not connected to the Internet. It is air-gapped
which is suppose to offer a high degree of security. Unfortunately, it was
an easy matter to move data from the secure side to the insecure side via
floppies. Inside jobs like that are difficult to stop. You are depending
on trusting the people involved, as well as security procedures to insure
the people involved are trusted, that have nothing to do with network
security. There was clearly a breakdown in those procedures.
Of course a solution would have been to move the Internet access out of
the lab entirely and strip search everyone at the door as they leave.
The secrets would have been protected, but recruitment would have
suffered, so the secrets may not have ever been developed in the first
place. Remember a lot of the work the Los Alamos scientist do is not
classified and the Internet is the primary vehicle for disseminating
and sharing scientific information these days. Take away that tool and
a lot of scientists will not to work in such an environment.
>What happens is that many organizations start from their requirements
>first and then back into their security policies based on that.
I see this far too often in my work. Security should start with the
development of a policy. Or if you back up a step with the development of
an information classification system. (e.g. what are you trying to protect
and how valuable is it and do I need to keep it confidential or available,
etc).
Many organizations install a firewall and think they are safe. They
ignore all the other security problems they already have which are far
greater risks than some cracker coming in over the Internet. So in
reality a firewall adds nothing to their degree of security. Moreover,
they have no idea what they are trying to protect or why it needs
protection in the first place. I partially blame the vendors for this
state of affairs, since firewalls are touted as "The" solution to
network security which they are not. Unfortunately, it appears to be
easier to sell a firewall appliance rather than a comprehensive security
solution.
Smoot Carl-Mitchell
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
