Firewalls: Re: security policy

Firewalls
(November 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: security policy
From:	Stephen Schaefer - Network Computing Solutions <sps @ imonics . com>
Date:	Thu, 9 Nov 1995 11:20:53 -0500
To:	IJB @ saicuk . co . uk
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<30A1D3FF @ smtpgty . saicuk . co . uk> (IJB @ saicuk . co . uk)
Reply-to:	stephen @ networks . com

Please don't misinterpret me, I am genuinely in search of a practical,
reasonable opinion: how does one distinguish security through
obscurity from ``real'' security?  Should one apply that standard to a
corporate security policy?  Why or why not?

	- Stephen
	stephen @
 networks .
 com

   From: "Johnson-Bryden, Ian" <IJB @
 saicuk .
 co .
 uk>
   Date: Thu, 09 Nov 95 09:39:00 GMT
   X-Mailer: Microsoft Mail V3.0
   Sender: owner-gateway-firewalls @
 imonics .
 com
   Precedence: bulk


   If someone has produced a real risk/security policy it should not be 
   released to anyone other than authorised users for obvious reasons. If it is 
   similar to a 'Corporate Mission Statement' it wont be worth much. If it is a 
   fully detailed document which someone has unwisely made public, it should 
   only be meaningful to the owner because of those unique elements to that 
   enterprise, other than it shows how one outfit approached the issues. There 
   are now a range of books which cover risk/security policy generation in 
   varying detail and from different perspectives.
   Ian J-B

References:

Re: security policy
From: "Johnson-Bryden, Ian" <IJB @ saicuk . co . uk>

Indexed By Date	Previous:	Re: Restricting URL's From: Dave Roberts <djr @ saa-cons . co . uk>
Indexed By Date	Next:	FireWall-1 licensing From: Roger Marquis <marquis @ roble . com>
Indexed By Thread	Previous:	Re: security policy From: Alan Dowd <dowd @ sctc . com>
Indexed By Thread	Next:	Re: security policy -Reply From: William Tompkins <William . Tompkins @ dir . texas . gov>