Great Circle Associates Firewalls
(September 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Quit now or keep going?
From: joe_kretz @ fmc . com
Date: Tue, 13 Sep 94 09:00:12 CDT
To: firewalls @ greatcircle . com, sgcccdc @ citec . qld . gov . au (Colin Campbell)
Encoding: 44 Text 
COLIN STATED:

>Should I quit now or keep going? I am in the ignominious position of having to 
>implement a firewall to protect several organisations over which I have 
>absolutely no control. Let me explain.

   Internet
      |
      |
   Firewall
      |
      |
  -----------+------------------
  |        Router(s)           |
  --+--------+-------+--------+-
    |    |       |        |
    |    |       |        |
  OrgA      OrgB    OrgC     Us

>Everybody wants news/mail/mosaic/everything. There is no traffic permitted 
>between any two `Org's. We (Us) have access to all `Org's and they to us.
>We have absolutely no control over most of the hosts in any Org. If any one 
>Org gets broken, chances are everyone gets broken. All Orgs and Us are 
>`sensitive'.

THE ISSUE, IN MY HUMBLE OPINION, IS NOT ONE OF "WHO HAS CONTROL" BUT RATHER
IS THERE A COMPREHENSIVE INFORMATION SECURITY PROGRAM THAT ENCOMPASSES ALL
THESE ORGANIZATIONS INCLUDING THEIR GENERAL COMPLIANCE WITH IT.  A FIREWALL
IS JUST ONE TYPE OF CONTROL WITHIN THE BROADER NETWORK SECURITY COMPONENT AND
THE NETWORK SECURITY COMPONENT IS JUST ONE OF THE FIFTEEN COMPONENTS THAT
COMPRISE OUR TOTAL PROGRAM HERE AT FMC.  OUR ORGANIZATIONAL SITUATION IS
SIMILAR TO THE ONE DESCRIBED WHERE NO ONE PERSON OR ORGANIZATION HAS ABSOLUTE
CONTROL BUT YET WE HAVE, ACCORDING TO INTERNAL AND EXTERNAL REVIEWS, A 
REASONABLE LEVEL OF SECURITY.  WITHOUT THIS OVERALL FRAMEWORK, OUR INTERNET
FIREWALL, FOR EXAMPLE, WOULD NOT HAVE OFFERED US MUCH SECURITY BY ITSELF.

MY RECOMMENDATION WOULD BE TO KEEP GOING BUT CHANGE DIRECTIONS IF AN OVERALL
SECURITY FRAMEWORK IS MISSING.  IN THE EXAMPLE DESCRIBED BY COLIN, A
FIREWALL BY ITSELF WOULD SEEM TO HAVE A VERY LOW PROBABILITY OF IMPROVING
SECURITY WITHOUT BEING PART OF AN MORE COMPREHENSIVE PROGRAM.

STAY SECURE! JOE
Indexed By Date Previous: Re: Firewalls Digest V3 #314
From: "k.poulsen" <kfp @ rtpvl1 . enet . dec . com>
Next: Re: Quit now or keep going?
From: Marcus J Ranum <mjr @ tis . com>
Indexed By Thread Previous: Re: Quit now or keep going?
From: Rens . Schipper @ rivm . nl (Rens Schipper)
Next: Re: Quit now or keep going?
From: Marcus J Ranum <mjr @ tis . com>
Google
 
Search Internet Search www.greatcircle.com