>Should I quit now or keep going? I am in the ignominious position of having to
>implement a firewall to protect several organisations over which I have
>absolutely no control. Let me explain.
| Router(s) |
| | | |
| | | |
OrgA OrgB OrgC Us
>Everybody wants news/mail/mosaic/everything. There is no traffic permitted
>between any two `Org's. We (Us) have access to all `Org's and they to us.
>We have absolutely no control over most of the hosts in any Org. If any one
>Org gets broken, chances are everyone gets broken. All Orgs and Us are
THE ISSUE, IN MY HUMBLE OPINION, IS NOT ONE OF "WHO HAS CONTROL" BUT RATHER
IS THERE A COMPREHENSIVE INFORMATION SECURITY PROGRAM THAT ENCOMPASSES ALL
THESE ORGANIZATIONS INCLUDING THEIR GENERAL COMPLIANCE WITH IT. A FIREWALL
IS JUST ONE TYPE OF CONTROL WITHIN THE BROADER NETWORK SECURITY COMPONENT AND
THE NETWORK SECURITY COMPONENT IS JUST ONE OF THE FIFTEEN COMPONENTS THAT
COMPRISE OUR TOTAL PROGRAM HERE AT FMC. OUR ORGANIZATIONAL SITUATION IS
SIMILAR TO THE ONE DESCRIBED WHERE NO ONE PERSON OR ORGANIZATION HAS ABSOLUTE
CONTROL BUT YET WE HAVE, ACCORDING TO INTERNAL AND EXTERNAL REVIEWS, A
REASONABLE LEVEL OF SECURITY. WITHOUT THIS OVERALL FRAMEWORK, OUR INTERNET
FIREWALL, FOR EXAMPLE, WOULD NOT HAVE OFFERED US MUCH SECURITY BY ITSELF.
MY RECOMMENDATION WOULD BE TO KEEP GOING BUT CHANGE DIRECTIONS IF AN OVERALL
SECURITY FRAMEWORK IS MISSING. IN THE EXAMPLE DESCRIBED BY COLIN, A
FIREWALL BY ITSELF WOULD SEEM TO HAVE A VERY LOW PROBABILITY OF IMPROVING
SECURITY WITHOUT BEING PART OF AN MORE COMPREHENSIVE PROGRAM.
STAY SECURE! JOE