Bill, We agree that applying the same security controls everywhere on a network is a bad approach and could lead to considerable expense. In many cases this approach is a reaction to a poorly architected environment which cannot easily support role based partitioning. Most users wear many hats and are required to switch those hats continuously throughout the day. The computing architecture needs to support a user switching roles rather than being all roles at once. Once security requirements are mapped to an organizations roles, network functionality can be partitioned accordingly. It then becomes a simpler and less costly matter to implement and support that architecture. I guess it is the old divide and conquer approach. Chris
Bill Pankey wrote: > Chris > > I appreciate what you say. Certainly TCP is spoofable but it provides a > valuable service in protecting against transmission errors, dropped > packets and the like and therefore is important to 'integrity'. > > My question is not 'whether or not', but how integrity controls are cost > effectively implemented and, from a compliance point of view, isolated. > The idea that all packets should be signed seems far fetched. To do as > much can hardly be cost ineffective as it essentially ignores all of the > HCO effort with respect to activities like physical access control, > personnel screening, workstation security and so forth. If I were > transmitting over the public Inet, then I would consider signing all > packets. > > I discount the conventional wisdom that most attacks are from inside the > LAN, although I accept that insecure workstations are often the vector > for attack. HCO spend a lot of effort screening personnel who after > all, are 'caregivers'. In some ways it antithetical for a provider > organization to protect itself from malicious activity of its staff. > Afterall the HCO give knives to its people and takes responsibility for > the consequences <g>. > > Bill -- Chris Riley, CISSP Information Tool Designers Inc. http://www.info-tools.com/ To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.