Bill,
We agree that applying the same security controls everywhere on a network is
a bad approach and could lead to considerable expense.  In many cases this
approach is a reaction to a poorly architected environment which cannot
easily support role based partitioning.  Most users wear many hats and are
required to switch those hats continuously throughout the day.  The
computing architecture needs to support a user switching roles rather than
being all roles at once.  Once security requirements are mapped to an
organizations roles, network functionality can be partitioned accordingly.
It then becomes a simpler and less costly matter to implement and support
that architecture.  I guess it is the old divide and conquer approach.
Chris

Bill Pankey wrote:

> Chris
>
> I appreciate what you say.  Certainly TCP is spoofable but it provides a
> valuable service in protecting against transmission errors, dropped
> packets and the like and therefore is important to 'integrity'.
>
> My question is not 'whether or not', but how integrity controls are cost
> effectively implemented and, from a compliance point of view, isolated.
> The idea that all packets should be signed seems far fetched.  To do as
> much can hardly be cost ineffective as it essentially ignores all of the
> HCO effort with respect to activities like physical access control,
> personnel screening, workstation security and so forth.  If I were
> transmitting over the public Inet, then I would consider signing all
> packets.
>
> I discount the conventional wisdom that most attacks are from inside the
> LAN, although I accept that insecure workstations are often the vector
> for attack.  HCO spend a lot of effort screening personnel who after
> all, are 'caregivers'.  In some ways it antithetical for a provider
> organization to protect itself from malicious activity of its staff.
> Afterall the HCO give knives to its people and takes responsibility for
> the consequences <g>.
>
> Bill

--
Chris Riley, CISSP
Information Tool Designers Inc.
http://www.info-tools.com/




To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to