Kurt, If someone wants your data, they WILL get it. It's not a matter of IF, it's a matter of WHEN. People WANT the governments data, without absolute sneaker net, it is nearly IMPOSSIBLE to protect completely. There will always be a hole somewhere no matter how secure the environment is.
It's all a matter of risk and the cost to mitigate the risk. There are fundamentally secure ways to accomplish what has been asked. Is it a perfect solution? Maybe not, but it is doable. You are a talented IT professional, but I think you may be living in the IT fantasy land... On Thu, Jan 6, 2011 at 8:41 PM, Kurt Buff <[email protected]> wrote: > On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <[email protected]> wrote: > > Hi, > > > > Then you should turn of all your computers, encase them in concrete, and > > launch them into outer space - and into the Sun. That is the best way of > > stopping anyone compromising one of your machines. > > Got to love the straw man argument. > > > Having a non-domain joined SQL Server in your DMZ is far less secure than > that. > > Than what? Launching it into the sun? You conveniently ignore that I > said "when you know there are better ways", and the > > > Hint: go and read some books on security first. *All* security is risk > mitigation. > > For example: that's why we still have passwords that are only "x" > characters long, > > rather than "x + 1" (where x is any number less than infinity). > > I have read security books, and keep up with Full Disclosure, FW > Wizards and several other lists, as well as monitoring isc.sans.org. > > And you exaggerate again. We have passwords that are 'x' characters > long (I tend to use 20+ character passphrases myself) because the > effort to crack them is, so far, infeasible, due to the lack of > rainbow tables of the size necessary to do so, and the lack of time to > brute force them before I change them. If firms (such as my own work, > I'll admit) are so foolish as to ignore this limit, then they will > likely suffer for it, and deserve to do so. > > > Everything in security is about: > > a) analysing what risks you face, > > b) working out what the likelihood of it eventuating > > c) working out the cost of the likelihood eventuating > > d) working out the cost of making the risk go away > > e) working out whether it's cost effective to implement (d) given > (a)(b)(c) > > It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, > "risk mitigation" is a mantra that has gone way too far, in the > relentless pursuit of cost and effort savings. The above > recommendation to turn a firewall into a safe passage for intruders is > a prime example. > > > That is why a national government has a far more secure, cumbersome > network > > than your average business. Because the risks are different. > > Oh, yeah - that's worked out well, hasn't it? I believe you have that > problem by the wrong end of the stick. National government networks > are more cumbersome, and not more secure, in the main. That's because > they're, wait for it, run by bureaucrats. They danced the risk > mitigation dance, and we got wikileaks, infected thumb drives, virus > infestations on supposedly secure networks, and all manner of > silliness. > > > That why we don't all blithely implement the same way of doing things. > Because doing > > things *costs* money (whether that be products, convenience, productivity > etc) > > And doing them intelligently costs less money than doing them stupidly. > > Kurt > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
