I second that comment. Training is by far the best way to learn how to do
something properly. Security is very hard to do properly if you do not have
the training and the mindset.
I have had the worse case scenario happen to me. I hardened a server, and
then the admin people went back in and changed so many things that what I
did was a joke. It went something like this: ME: "what you did made the
server insecure". THEM: "but you said you secured it". ME: "I did, I
changed things that are like putting a lock on a door, what you did was not
only unlocking the door, but removing the door and putting a signal flare
next to the door to tell everyone its there." THEM: "So?" ME: "so now its
not only not secure, but you are advertising that it is not secure". THEM:
"but you said it was secure". ME: "when I left it it was secure". THEM:
"but we never had problems before". ME: "you can try playing Russian
roulette and pull the trigger twice and you may live. How many more times
do you want to keep trying?". THEM: "but we need to do this to get our work
done". ME: "then here is how you do it properly, I've already installed and
configured the programs for you, you just need to use them". THEM: "I don't
have the time to waste on your theoritical problems, I need to get real work
done". And it goes on and on and on.
-----Original Message-----
From: mouss [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 20, 2000 11:51 AM
To: Frederick M Avolio; [EMAIL PROTECTED]
Subject: Re: Gauntlet
Fred,
Let me tell you something: Your reply is simply wonderful!
cheers,
mouss
At 08:58 20/11/00 -0500, Frederick M Avolio wrote:
>At 06:22 AM 11/20/00 -0600, Willis, Kelly wrote:
>
>>Is there anybody out there that can help me get some configurations right
>>on our new Gauntlet firewall? I have never configured a firewall before
>>and have not had training and this is very important to our company so I
>>am feeling the pressure here. Any help would be appreciated!
>
>Kelly,
>
>This is *nearly* the sort of worst-case scenario I discuss in various
>classes I teach. (Worst-case is a perfectly secure installation by an
>expert that gets changed 20 minutes after the expert logs out.) Let me
>briefly use your request as an example, but let me assure you I am not
>picking on you, making fun of you, or suggesting there is anything wrong
>with your request from your side of things.
>
>Did your company purchase training for Gauntlet for you? If not, then "it"
>is not very important to your company, even if you say so. Does your
>company have tech support for Gauntlet? If not, same comment.
>
>What if I posted this note at a Petro truck stop: "Can anyone out there
>help me learn to drive an 18 wheeler? I was hired to do this and I have a
>truck supplied by my company. I have a driver's license for an automobile,
>but I've never driven a big rig before, nor have I had any training in
>one. It is very important to my company that I get this right and I have
>to start a cross-country run on Wednesday. Any help you other drivers can
>offer in your spare time as you pass through will be greatly appreciated."
>
>Kelly, if it is important to your company they should have someone come in
>and train you or send you to training. If it is important to your company,
>they should not settle for free advice over Internet. If it is important
>to your company, they should want to get the installation of such an
>important security device right the first time.
>
>Can someone learn to drive an 18-wheeler by asking advice and getting a
>few minutes if practice driving with another driver around the parking lot
>of a truck stop? Maybe. Would we want to trust them on the road with other
>trucks and with minivans with parents driving their children to
>grandmother's house for Thanksgiving? No.
>
>Get real training, or hire someone to install, configure, and train.
>
>Fred
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
