I cut Ben's address, he only needs one copy of this thread...
On Fri, 19 Apr 2002, Noonan, Wesley wrote:
> >
> > >
> > > position that seems to be so prevalent on this list. I think it is bad
> > > practice to make such blanket generalizations.
> > >
> >
> > The reference to "how often does it appear on BugTraq" translates pretty
> > much to: look at the historical evidence.
>
> Sure, I still don't think a blanket "VLANs bad" statement is wise.
>
And yet you'll caution your own clients with advise against them as you
stated earlier, on what do you base that advise then if not on historical
facts of switches not being security devices as well as past evidence of
their exploitation as well as issues many here have mentioned on VLANs?
I'm sure you have to backup your advise with documented reasoning?
> > > Security policies and practices that prevent business are BAD.
> > >
> >
> > FUD! The company does no business if their security does not protect
> > their interests/assets.
>
> Absolutely not!!!!!! Having the best security in the world, such that it
> prevents business is much, much worse. Why? Because the company with no
> security can still make money in many cases. If security stops business, the
> company can't make money. Far too many security professionals seem to
> function in a bubble. They fail to see the correlation between security and
> making money, and they fail to realize that they have to balance the needs
> of security against the requirement to make money, and find the most secure
> position they can have, while still not precluding or preventing the ability
> to make money. It's a tightrope walk and a balancing act, which is why the
> folks who can walk that rope and strike that balance are so valuable.
>
If your warehouse is unlocked and I drive in and steal all your product,
how much business can you do? Likewaise, if your warehouse software, the
stuff that tracks what's in stock and where it can be found and produces
order for more stock and for client purchases is unsecured and I can get
into it and mess up the whoe database, or worserer, just rm -rf *, how
much business can you do? If your network becomes so congested with code
red/nimda traffic it can't send proper traffic about, how much work can be
done?
Even companies with no securit guard at the front desk, and merely a
receptionist are in fact using her in a semi-security role, she filters
traffic as it arrives. Business has had to maintain and deal with
security since it;s inception, we just do not always equate what the full
spectrum of security is in place.
> > > Agreed. Again, this is the point that I was trying to make. It's not
> > cookie
> > > cutter. There are a LOT of variables to weigh, and I just think it is
> > bad
> > > practice to make statements like I have seen from others on this list.
> > >
> >
> > So it's better to just what? say and do nothing and consider nothing in
> > an evaluation/assesment of a product/potential implimentation? Folks come
>
> Not present opinion as fact? To try not to take "extremist" positions, and
> then propagate those positions.
>
We tend to be paranoid, it's part of our jobs, it's perhaps not part of
your job, but, it is for us that work in a security role as the prime
focus of our positions.
> > to this list to ask others to share theit knowledge and experience. This
> > is what Paul and others have done, and you mostly just decided Paul's
> > style in approcahing this was FUD. Do consider, in a busy day, when folks
>
> Yes, I do. I think much of the validity in his position was lost in the
> delivery.
>
> > reply to e-mails here and elsewhere their 'style' differs greatly to that
> > one might see/percieve when addressing them face up and vocally. I'm sure
> > Paul is a busy man, and tries to share as quickly as possible those
> > momnets he can to prvoviding help and knowledge gained throughout the
> > years to others freely here. As do others, I'm sure this is pretty much
> > the same with you.
>
> Wow, I think this is as close as you have come to actually acknowledging
> that I might well be able to differentiate between my ass and a hole in the
> ground without need of a map... <g>
>
<smile> I still recall the offline arguements a few months back we had
when I tried to inform you that this is a text based list and your
insistence it was time to move into the html mail world...
> > Afterall, how many folks get paid to spend time on
> > this and the other lists they contribute to? I can say, I often find
> > great humor, as well as insight in Paul's style here <smile>. And have a
>
> No doubt. As have I. I just think that he was a little "off" on this
> particular topic.
>
> > few times busted a gut and spewed some coffee about the monitor and
> > keyboard while gaining some valuable information. Now, if I do not
> > understand what he's saying, or require deeper clarification of points
> > he's jotting out here quickly, whose responsibility is it for me to gain
> > deeper insight?
>
> For some reason, you assume that I need "deeper clarification"? No doubt,
> learning is the responsibility of the learner.
>
> > Is it not *my* obligation to request claification and
> > edification?
>
> Sure, however if one is going to be as so bold as to make a statement,
> particularly of a technical nature on a technical list, then they should
> probably be ready and able to clarify it if requested.
>
It's a big industry, there's much to track and maintain data on. I've
tended over the last few years to build up files of data from various
lists, to go back and review when need arrives, and even that gets to be a
mess. And this is sometimes why information supplied is 'qualified' as
Paul himself tried to point out to you a number of times in this thread.
Afterall, you had nothing to base your arguements rejecting his on, no
experience to offer on using VLANs in a secure nature, nor no experience
with ISA, only the marketing stuff off their site, and mis-stated it's
eposure/exploit issues already on record. Lots for you and lots for the
rest of us to track in total. Thus the frequency of folks popping in here
and asking if others have a clue on something they now face in their work
roles...
> > In like token, if his style does so bug me that I go on a
> > rant each time he gives advise, whose responsibility is it for me to hit
> > delete when seeing his name on a post or just killfile his responses so as
> > to save my attitude for the rest of the day?
>
> If everything Paul said bothered me that much, maybe I would. However, while
> you still *do not know me*, those who do could certainly tell you that I
> don't believe in that. I am not willing to lose the volumes of insight that
> Paul, or anyone else, can provide simply because I "don't like his style".
> Besides, AFAIC, this is really more specific to this single topic, hardly a
> style, which is a bit of a pet peeve for me.
Caution, your pet-peeve on generalisations was voilated a few times on
your end when infering that I'm clueless to opertating and maintaining
windows systems. I've played with widowns systems a far back as when it
was still a run-time system under DOS <required pagemaker and lacked a
MAC>. I remember when word could be run on two 5.25 inch floppoes and the
whole office package in use now was split into seperate packages and
marketed and sold as such, prior to access even. I remember when win.ini
and sys.ini where the major controls, no registry to deal with. I've
seen little improvement between NT 3.5 and 4.0 nor w2k, just alot more
bulk and tying the browser into the OS was a major catrastrophy <so much
for kiss and seperation of potential exposure>. While at Honeywell our NT systems
required reboots daily to deal with the
flow <3.5>, at 3M our NT 4.0 DNS/domain servers had to be rebooted every
two days at best to prevent seeing blue, and the bad history on those over
laoded/blaoted systems goes on from there <1991-1995>. I could put in
much smaller intel boxes with much less RAM and disk space and do much
more with them, with avareage reboot times *required* at about 365
days+...I just don't think windows in any of it's flavors even now is
ready for primetime as anything but a desktop system, course, I'm perhaps
the only person in Durham NC that feels the same about redhat...YMMV...
Of course in some eyes this might well still mark me as an OS bigot...
Cool. At least it appears we all here in these threads have at least the
skills to debate, as well as subscribe and unsubscribe without letting the
total readerbase of the list know how lacking in clues we really might be
<smirk>.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
