From: firewalls-owner
To: firewalls
Subject: A Practical Question
Date: Friday, November 24, 1995 12:00AM
>Ken Smith wrote::
>I barely have time to catch my morning coffee, much less
>try to review the last 24-hours of dial-in logs.
Well maybe some folk miss the morning coffee, but I doubt anyone reviews the
last 24 hrs of dail in logs every day unless the traffic is *very* low.
>I understand that a number of people on this list are security
professionals
>rather than network managers, but I'd like to hear from those who *are*
>responsible for the day-to-day administration of small-to-medium-size
>networks. How realistic is it for network managers to be able to take the
>sort
>of labor-intensive security steps that are advocated here? In addition,
how
>*necessary* is it?
There is the other question of - should the network manager be security
also? In many countries, banks dont expect their counter clerks to operate
with shotguns, they hire armed guards. Those same institutions however often
leave their systems manager or network manager to do the equivalent job on
the information system. Very frequently thats the fault of the manager, or
the man who did the job before, because he never explained the requirements
to the senior management. In some cases, he deliberately tried to conceal
the realities from management either because he wanted to stay employed or
just didnt welcome what might prove to be 'competition'.
In a well regulated system there should be a system administrator, a network
administrator, and a security officer which has two main virtues. One is
that it avoids anyone being overloaded and neglecting a vital area. The
second is that each guard guards the other two. Take the old Czech joke
about the secret police going round in threes - one is to read, one is to
write, one is to keep an eye one the dangerous intellectuals.
>If I'm not able to dedicate these sorts of resources, how
>big a hole am I opening up for myself?
It could be enormous. A 200 yr old financial institution was destroyed by
the actions of a relatively junior employee because their risk management
system was inadequate - and yes they did have a firewall.
I'm well aware that if somebody
>really
>*wanted* to break into our network, they could (there are a thousand ways;
>the
>Internet is the least of my concerns, frankly): I'm more concerned about
how
>likely it is that they *will*.
Thats a key question which you can only hope to answer if you have a real
enterprise policy with associated risk policy, a method of enforcing same,
continuous review of same.
Ian J-B
|
|
