Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: What could have been done differently?

  • From: Leo Bicknell
  • Date: Tue Jan 28 10:00:58 2003

In a message written on Tue, Jan 28, 2003 at 03:10:18AM -0500, Sean Donelan wrote:
> They bought finest firewalls,

A firewall is a tool, not a solution.  Firewall companies advertise
much like Home Depot (Lowes, etc), "everything you need to build
a house".

While anyone with 3 brain cells realizes that going into Home Depot
and buying truck loads of building materials does not mean you have
a house, it's not clear to me that many of the decision makers in
companies understand that buying a spiffy firewall does not mean
you're secure.

Even those that do understand, often only go to the next step.
They hire someone to configure the firewall.  That's similar to
hiring the carpenter with your load of tools and building materials.
You're one step closer to the right outcome, but you still have no
plans.  A carpenter without plans isn't going to build something
very useful.

Very few companies get to the final step, hiring an architect.
Actually, the few that get here usually don't do that, they buy
some off the shelf plans (see below, managed security) and hope
it's good enough.  If you want something that really fits you have
to have the architect really understand your needs, and then design
something that fits.

> they had two-factor biometric locks on their data centers,

This is the part that never made sense to me.  Companies are
installing new physical security systems at an amazing pace.  I
know some colos that have had four new security systems in a year.
The thing that fascinates me is that unless someone is covering up
the numbers /people don't break into data centers/.

The common thief isn't too interested.  Too much security/video
already.  People notice when the stuff goes offline.  And most
importantly too hard to fence for the common man.  The thief really
interested in what's in the data center, the data, is going to take
the easiest vector, which until we fix other problems is going to
be the network.

I think far too many people spend money on new security systems
because they don't know what else to do, which may be a sign
that they aren't the people who want to trust with your network
data.

> they installed anti-virus software, 

Which is a completely different problem.  Putting the bio-hazard
in a secure setting where it can't infect anyone and developing an
antidote in case it does are two very different things.  One is
prevention, one is cure.

> they paid for SAS70 audits by the premier auditors,

Which means absolutely nothing.  Those audits are the equivalent
of walking into a doctor's office, making sure he has a working
stethoscope and box of toungue depressors, and maybe, just maybe,
making the doctor use both to verify that he knows how to use the
them.

While interesting, that doesn't mean very much at all that when
you walk in with a disease the doctor will cure you.  Just like it
doesn't mean when the network virus/worm/trojan comes you will be
immune.

> they hired the best managed security consulting firms.

This goes back to my first comment.  Managed security consulting
firms do good work, but what they can't do is specialized work.
To extend the house analogy they are like the spec architects who
make one "ok" plan and then sell it thousands of times to the people
who don't want to spend money on a custom architect.

It's better than nothing, and in fact for a number of firms it's
probably a really good fit.  What the larger and more complex firms
seem to fail to realize is that as your needs become more complex
you need to step up to the fully customized approach, which no matter
how hard these guys try to sell it to you they are unlikely to be
able to provide.  At some level you need someone on staff who
understands security, but, and here's the hard part, understands
all of your applications as well.

How many people have seen the firewall guy say something like "well
I opened up port 1234 for xyzsoft for the finance department.  I
have no idea what that program does or how it works, but their support
people told me I needed that port open".  Yeah.  That's security.
Your firewall admin doesn't need to know how to use the finance
software, but he'd better have an understanding of what talks to
what, what platforms it runs on, what is normal traffic and what
is abnormal traffic, and so on.

> Are there practical answers that actually work in the real world with
> real users and real business needs?

I think there are two fundamental problems:

* The people securing networks are very often underqualified
  for the task at hand.  If there is one place you need a "generalist"
  type network/host understands-it-all type person it's in security
  -- but that's not where you find them.  Far too often "network"
  security people are cross overs from the physical security world,
  and while they understand security concepts I find much of the
  time they are lost at how to apply them to the network.

* Companies need to hold each other responsible for bad software.
  Ford is being sued right now because Crown Vic gas tanks blow
  up.  Why isn't Microsoft being sued over buffer overflows?  We've
  known about the buffer overflow problem now for what, 5 years?
  The fact that new, recent software is coming out with buffer
  overflows is bad enough, the fact that people are still buying
  it, and also making the companies own up to their mistakes is
  amazing.  I have to think there's billions of dollars out there
  for class action lawyers.  Right now software companies, and in
  particular Microsoft, can make dangerously unsafe products and
  people buy them like crazy, and then don't even complain that
  much when they break.

-- 
       Leo Bicknell - bicknell@ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org

Attachment: pgp00021.pgp
Description: PGP signature




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.