You make my point for me - the government networks with valuable on them *should* have air gaps separating them from untrusted networks. They are the ones living in a fantasy, if they think that connecting supposedly secure networks to the public Internet is anything but an invitation to intrusion. Call it sneakernet or something else, a separate network, on separate infrastructure, is exactly what is called for in those cases.
On Thu, Jan 6, 2011 at 21:00, Don Ely <[email protected]> wrote: > Kurt, > > If someone wants your data, they WILL get it. It's not a matter of IF, it's > a matter of WHEN. People WANT the governments data, without absolute > sneaker net, it is nearly IMPOSSIBLE to protect completely. There will > always be a hole somewhere no matter how secure the environment is. > > It's all a matter of risk and the cost to mitigate the risk. There are > fundamentally secure ways to accomplish what has been asked. Is it a > perfect solution? Maybe not, but it is doable. > > You are a talented IT professional, but I think you may be living in the IT > fantasy land... > > On Thu, Jan 6, 2011 at 8:41 PM, Kurt Buff <[email protected]> wrote: >> >> On Thu, Jan 6, 2011 at 18:11, Ken Schaefer <[email protected]> wrote: >> > Hi, >> > >> > Then you should turn of all your computers, encase them in concrete, and >> > launch them into outer space - and into the Sun. That is the best way of >> > stopping anyone compromising one of your machines. >> >> Got to love the straw man argument. >> >> > Having a non-domain joined SQL Server in your DMZ is far less secure >> > than that. >> >> Than what? Launching it into the sun? You conveniently ignore that I >> said "when you know there are better ways", and the >> >> > Hint: go and read some books on security first. *All* security is risk >> > mitigation. >> > For example: that's why we still have passwords that are only "x" >> > characters long, >> > rather than "x + 1" (where x is any number less than infinity). >> >> I have read security books, and keep up with Full Disclosure, FW >> Wizards and several other lists, as well as monitoring isc.sans.org. >> >> And you exaggerate again. We have passwords that are 'x' characters >> long (I tend to use 20+ character passphrases myself) because the >> effort to crack them is, so far, infeasible, due to the lack of >> rainbow tables of the size necessary to do so, and the lack of time to >> brute force them before I change them. If firms (such as my own work, >> I'll admit) are so foolish as to ignore this limit, then they will >> likely suffer for it, and deserve to do so. >> >> > Everything in security is about: >> > a) analysing what risks you face, >> > b) working out what the likelihood of it eventuating >> > c) working out the cost of the likelihood eventuating >> > d) working out the cost of making the risk go away >> > e) working out whether it's cost effective to implement (d) given >> > (a)(b)(c) >> >> It's a b) that the risk mitigation wizards fail. Spectacularly. IMHO, >> "risk mitigation" is a mantra that has gone way too far, in the >> relentless pursuit of cost and effort savings. The above >> recommendation to turn a firewall into a safe passage for intruders is >> a prime example. >> >> > That is why a national government has a far more secure, cumbersome >> > network >> > than your average business. Because the risks are different. >> >> Oh, yeah - that's worked out well, hasn't it? I believe you have that >> problem by the wrong end of the stick. National government networks >> are more cumbersome, and not more secure, in the main. That's because >> they're, wait for it, run by bureaucrats. They danced the risk >> mitigation dance, and we got wikileaks, infected thumb drives, virus >> infestations on supposedly secure networks, and all manner of >> silliness. >> >> > That why we don't all blithely implement the same way of doing things. >> > Because doing >> > things *costs* money (whether that be products, convenience, >> > productivity etc) >> >> And doing them intelligently costs less money than doing them stupidly. >> >> Kurt >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
